From 4e0747286e6b9a2e2243de0f0d4a280a48e7ae40 Mon Sep 17 00:00:00 2001 From: Chris Coulter Date: Sat, 19 Aug 2023 13:37:09 +1000 Subject: [PATCH 1/2] Add canonicalArn as a entity alias name --- builtin/credential/aws/path_config_identity.go | 15 ++++++++------- builtin/credential/aws/path_login.go | 2 ++ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/builtin/credential/aws/path_config_identity.go b/builtin/credential/aws/path_config_identity.go index 0c6f8c3398ec..eb3ef6e5339e 100644 --- a/builtin/credential/aws/path_config_identity.go +++ b/builtin/credential/aws/path_config_identity.go @@ -66,7 +66,7 @@ func (b *backend) pathConfigIdentity() *framework.Path { "iam_alias": { Type: framework.TypeString, Default: identityAliasIAMUniqueID, - Description: fmt.Sprintf("Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are %q, %q, and %q. Defaults to %q.", identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasRoleID), + Description: fmt.Sprintf("Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are %q, %q, %q and %q. Defaults to %q.", identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasIAMCanonicalArn, identityAliasRoleID), }, iamAuthMetadataFields.FieldName: authmetadata.FieldSchema(iamAuthMetadataFields), "ec2_alias": { @@ -150,7 +150,7 @@ func pathConfigIdentityUpdate(ctx context.Context, req *logical.Request, data *f iamAliasRaw, ok := data.GetOk("iam_alias") if ok { iamAlias := iamAliasRaw.(string) - allowedIAMAliasValues := []string{identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn} + allowedIAMAliasValues := []string{identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasIAMCanonicalArn} if !strutil.StrListContains(allowedIAMAliasValues, iamAlias) { return logical.ErrorResponse(fmt.Sprintf("iam_alias of %q not in set of allowed values: %v", iamAlias, allowedIAMAliasValues)), nil } @@ -194,11 +194,12 @@ type identityConfig struct { } const ( - identityAliasIAMUniqueID = "unique_id" - identityAliasIAMFullArn = "full_arn" - identityAliasEC2InstanceID = "instance_id" - identityAliasEC2ImageID = "image_id" - identityAliasRoleID = "role_id" + identityAliasIAMUniqueID = "unique_id" + identityAliasIAMFullArn = "full_arn" + identityAliasIAMCanonicalArn = "canonical_arn" + identityAliasEC2InstanceID = "instance_id" + identityAliasEC2ImageID = "image_id" + identityAliasRoleID = "role_id" ) const pathConfigIdentityHelpSyn = ` diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index c4330ad6afda..a7c1905ba4cc 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -1396,6 +1396,8 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request, identityAlias = callerUniqueId case identityAliasIAMFullArn: identityAlias = callerID.Arn + case identityAliasIAMCanonicalArn: + identityAlias = entity.canonicalArn() } // If we're just looking up for MFA, return the Alias info From d81f6bf05096aac5e61cfbf81e1e8344c519d523 Mon Sep 17 00:00:00 2001 From: Chris Coulter Date: Fri, 26 Apr 2024 14:42:11 +1000 Subject: [PATCH 2/2] Add Canonical Arn to iam_alias documentation --- website/content/api-docs/auth/aws.mdx | 11 +++--- website/content/docs/concepts/identity.mdx | 2 +- website/content/partials/authn-names.mdx | 42 +++++++++++----------- 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/website/content/api-docs/auth/aws.mdx b/website/content/api-docs/auth/aws.mdx index 2a490c150845..b4bb11fa2cb8 100644 --- a/website/content/api-docs/auth/aws.mdx +++ b/website/content/api-docs/auth/aws.mdx @@ -203,16 +203,17 @@ This configures the way that Vault interacts with the ### Parameters - `iam_alias` `(string: "role_id")` - How to generate the identity alias when - using the `iam` auth method. Valid choices are `role_id`, `unique_id`, and - `full_arn` When `role_id` is selected, the randomly generated ID of the Vault role + using the `iam` auth method. Valid choices are `role_id`, `unique_id`, `canonical_arn` and + `full_arn`. When `role_id` is selected, the randomly generated ID of the Vault role is used. When `unique_id` is selected, the [IAM Unique ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids) of the IAM principal (either the user or role) is used as the identity alias - name. When `full_arn` is selected, the ARN returned by the - `sts:GetCallerIdentity` call is used as the alias name. This is either + name. When `canonical_arn` is selected, the role ARN returned by the `sts:GetCallerIdentity`call + will be used. This will be `arn:aws:iam:::role/`. When `full_arn` is selected, + the ARN returned by the `sts:GetCallerIdentity` call is used as the alias name. This is either `arn:aws:iam:::user/` or `arn:aws:sts:::assumed-role//`. - **Note**: if you select `full_arn` and then delete and recreate the IAM role, + **Note**: if you select `canonical_arn` or `full_arn` and then delete and recreate the IAM role, Vault won't be aware and any identity aliases set up for the role name will still be valid. diff --git a/website/content/docs/concepts/identity.mdx b/website/content/docs/concepts/identity.mdx index 8ecb9c015a82..20d7e2eb97cf 100644 --- a/website/content/docs/concepts/identity.mdx +++ b/website/content/docs/concepts/identity.mdx @@ -105,7 +105,7 @@ a particular auth mount point. | ------------------- | --------------------------------------------------------------------------------------------------- | | AliCloud | Principal ID | | AppRole | Role ID | -| AWS IAM | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Full ARN | +| AWS IAM | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Canonical ARN, Full ARN | | AWS EC2 | Configurable via `ec2_alias` to one of: Role ID (default), EC2 instance ID, AMI ID | | Azure | Subject (from JWT claim) | | Cloud Foundry | App ID | diff --git a/website/content/partials/authn-names.mdx b/website/content/partials/authn-names.mdx index 60b951f6aad0..6aea78acb4ed 100644 --- a/website/content/partials/authn-names.mdx +++ b/website/content/partials/authn-names.mdx @@ -1,24 +1,24 @@ In addition to custom authentication methods configured with secure plugins, Vault supports many standardized authentication methods by default. -| AuthN method | Unique ID | Configured with | -|-------------------------------------------------------------------------|-----------------------------------------------------|---------------------| -| [AliCloud](/vault/docs/auth/alicloud) | Principal ID | Not configurable | -| [AppRole](/vault/api-docs/auth/approle#create-update-approle) | Role ID | Not configurable | -| [AWS IAM](/vault/docs/auth/aws#iam-auth-method) | Vault Role ID (default), IAM unique ID, Full ARN | `iam_alias` | -| [AWS EC2](/vault/docs/auth/aws#ec2-auth-method) | Vault Role ID (default), EC2 instance ID, AMI ID | `ec2_alias` | -| [Azure](/vault/api-docs/auth/azure#create-role) | Subject (from JWT claim) | Not configurable | -| [Cloud Foundry](/vault/docs/auth/cf) | App ID | Not configurable | -| [GitHub](/vault/docs/auth/github) | User login name associated with token | Not configurable | -| [Google Cloud](/vault/api-docs/auth/gcp#create-role) | Vault Role ID (default), Service account unique ID | `iam_alias` | -| [JWT/OIDC](/vault/api-docs/auth/jwt#create-role) | The presented claims (no default value) | `user_claim` | -| [Kerberos](/vault/docs/auth/kerberos) | Username | Not configurable | -| [Kubernetes](/vault/api-docs/auth/kubernetes#create-role) | Service account UID (default), Service account Name | `alias_name_source` | -| [LDAP](/vault/docs/auth/ldap) | Username | Not configurable | -| [OCI](/vault/api-docs/auth/oci#create-role) | Rolename | Not configurable | -| [Okta](/vault/api-docs/auth/okta#register-user) | Username | Not configurable | -| [RADIUS](/vault/docs/auth/radius) | Username | Not configurable | -| [SAML](/vault/docs/auth/saml) | Assertion Subject | Not configurable | -| [TLS Certificate](/vault/api-docs/auth/cert#create-ca-certificate-role) | Subject CommonName | Not configurable | -| [Token](/vault/docs/auth/token) | `entity_alias` | Not configurable | -| [Username/Password](/vault/api-docs/auth/userpass#create-update-user) | Username | Not configurable | +| AuthN method | Unique ID | Configured with | +|-------------------------------------------------------------------------|---------------------------------------------------------------------|---------------------| +| [AliCloud](/vault/docs/auth/alicloud) | Principal ID | Not configurable | +| [AppRole](/vault/api-docs/auth/approle#create-update-approle) | Role ID | Not configurable | +| [AWS IAM](/vault/docs/auth/aws#iam-auth-method) | Vault Role ID (default), IAM unique ID, Canonical ARN, Full ARN | `iam_alias` | +| [AWS EC2](/vault/docs/auth/aws#ec2-auth-method) | Vault Role ID (default), EC2 instance ID, AMI ID | `ec2_alias` | +| [Azure](/vault/api-docs/auth/azure#create-role) | Subject (from JWT claim) | Not configurable | +| [Cloud Foundry](/vault/docs/auth/cf) | App ID | Not configurable | +| [GitHub](/vault/docs/auth/github) | User login name associated with token | Not configurable | +| [Google Cloud](/vault/api-docs/auth/gcp#create-role) | Vault Role ID (default), Service account unique ID | `iam_alias` | +| [JWT/OIDC](/vault/api-docs/auth/jwt#create-role) | The presented claims (no default value) | `user_claim` | +| [Kerberos](/vault/docs/auth/kerberos) | Username | Not configurable | +| [Kubernetes](/vault/api-docs/auth/kubernetes#create-role) | Service account UID (default), Service account Name | `alias_name_source` | +| [LDAP](/vault/docs/auth/ldap) | Username | Not configurable | +| [OCI](/vault/api-docs/auth/oci#create-role) | Rolename | Not configurable | +| [Okta](/vault/api-docs/auth/okta#register-user) | Username | Not configurable | +| [RADIUS](/vault/docs/auth/radius) | Username | Not configurable | +| [SAML](/vault/docs/auth/saml) | Assertion Subject | Not configurable | +| [TLS Certificate](/vault/api-docs/auth/cert#create-ca-certificate-role) | Subject CommonName | Not configurable | +| [Token](/vault/docs/auth/token) | `entity_alias` | Not configurable | +| [Username/Password](/vault/api-docs/auth/userpass#create-update-user) | Username | Not configurable |