From 8a3cbf0cd9285d916e286af945dfa12c54b63339 Mon Sep 17 00:00:00 2001 From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Date: Mon, 22 Jun 2020 13:40:21 -0700 Subject: [PATCH] Backport 1.4.3: Update GCP secrets plugin (#9277) --- go.mod | 2 +- go.sum | 4 ++-- .../plugin/path_role_set.go | 3 +++ .../helper/awsutil/generate_credentials.go | 21 ++++++++++++++++++- vendor/modules.txt | 2 +- 5 files changed, 27 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index c33766ac6ee8..d93d030ad9ca 100644 --- a/go.mod +++ b/go.mod @@ -84,7 +84,7 @@ require ( github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5 github.com/hashicorp/vault-plugin-secrets-azure v0.5.6 - github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d + github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.5 github.com/hashicorp/vault-plugin-secrets-kv v0.5.5 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.1.2 diff --git a/go.sum b/go.sum index b7c59a06f347..40b5402c1912 100644 --- a/go.sum +++ b/go.sum @@ -420,8 +420,8 @@ github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5 h1:BOOtSls+BQ1EtPmpE9L github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5/go.mod h1:gAoReoUpBHaBwkxQqTK7FY8nQC0MuaZHLiW5WOSny5g= github.com/hashicorp/vault-plugin-secrets-azure v0.5.6 h1:4PgQ5rCT29wW5PMyebEhPkEYuR5s+SnInuZz3x2cP50= github.com/hashicorp/vault-plugin-secrets-azure v0.5.6/go.mod h1:Q0cIL4kZWnMmQWkBfWtyOd7+JXTEpAyU4L932PMHq3E= -github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d h1:gW4j9YChsCbGp8Uky+XDCam/+CBtFwV8SnPuQR5tPVE= -github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d/go.mod h1:jVTE1fuhRcBOb/gnCT9W++AnlwiyQEX4S8iVCKhKQsE= +github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5 h1:X8jtQvuyLh6ZIFUQmG7Ky2QVQZCulz2BB/vroM6xTVc= +github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5/go.mod h1:jVTE1fuhRcBOb/gnCT9W++AnlwiyQEX4S8iVCKhKQsE= github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.5 h1:NigzA2v+h+cjBPl41pRirRwWELF+RPJGch/ys0Sijrc= github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.5/go.mod h1:b6RwFD1bny1zbfqhD35iGJdQYHRtJLx3HfBD109GO38= github.com/hashicorp/vault-plugin-secrets-kv v0.5.5 h1:yLtfsAiJOkpRkk+OxQmFluQJ35OUw420Y+CwfGMWuSc= diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go index f32ed7d7895c..32b62b670617 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go @@ -362,6 +362,9 @@ func (b *backend) pathRoleSetCreateUpdate(ctx context.Context, req *logical.Requ // If no new bindings or new bindings are exactly same as old bindings, // just update the role set without rotating service account. if !newBindings || rs.bindingHash() == getStringHash(bRaw.(string)) { + if rs.TokenGen != nil { + rs.TokenGen.Scopes = scopes + } // Just save role with updated metadata: if err := rs.save(ctx, req.Storage); err != nil { return logical.ErrorResponse(err.Error()), nil diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go b/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go index 83c134a56e2a..b4bdcc6a9f62 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go @@ -3,10 +3,15 @@ package awsutil import ( "fmt" "net/http" + "os" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/defaults" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/sts" + "github.com/pkg/errors" ) type CredentialsConfig struct { @@ -54,6 +59,20 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, "static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)") } + roleARN := os.Getenv("AWS_ROLE_ARN") + tokenPath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + sessionName := os.Getenv("AWS_ROLE_SESSION_NAME") + if roleARN != "" && tokenPath != "" && sessionName != "" { + // this session is only created to create the WebIdentityRoleProvider, as the env variables are already there + // this automatically assumes the role, but the provider needs to be added to the chain + sess, err := session.NewSession() + if err != nil { + return nil, errors.Wrap(err, "error creating a new session to create a WebIdentityRoleProvider") + } + //Add the web identity role credential provider + providers = append(providers, stscreds.NewWebIdentityRoleProvider(sts.New(sess), roleARN, sessionName, tokenPath)) + } + // Add the environment credential provider providers = append(providers, &credentials.EnvProvider{}) @@ -77,7 +96,7 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, // Create the credentials required to access the API. creds := credentials.NewChainCredentials(providers) if creds == nil { - return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata") + return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, web identity or instance metadata") } return creds, nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 04fe651c75f9..ed5102652660 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -416,7 +416,7 @@ github.com/hashicorp/vault-plugin-secrets-alicloud github.com/hashicorp/vault-plugin-secrets-alicloud/clients # github.com/hashicorp/vault-plugin-secrets-azure v0.5.6 github.com/hashicorp/vault-plugin-secrets-azure -# github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d +# github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5 github.com/hashicorp/vault-plugin-secrets-gcp/plugin github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util