Don't read AWS env vars

Let AWS SDK env cred chain provider do it for us Fixes #5965
hashicorp · Jan 4, 2019 · 974ab0f · 974ab0f
1 parent 2dcd0ae
commit 974ab0f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 20 deletions.
diff --git a/physical/dynamodb/dynamodb.go b/physical/dynamodb/dynamodb.go
@@ -15,15 +15,15 @@ import (
 
 	log "github.com/hashicorp/go-hclog"
 
-	"github.com/armon/go-metrics"
+	metrics "github.com/armon/go-metrics"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
 	"github.com/hashicorp/errwrap"
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-uuid"
+	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/awsutil"
 	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/physical"
@@ -155,16 +155,14 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac
 		writeCapacity = DefaultDynamoDBWriteCapacity
 	}
 
-	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
-	if accessKey == "" {
+	var accessKey, secretKey, sessionToken string
+	if os.Getenv("AWS_ACCESS_KEY_ID") == "" {
 		accessKey = conf["access_key"]
 	}
-	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if secretKey == "" {
+	if os.Getenv("AWS_SECRET_ACCESS_KEY") == "" {
 		secretKey = conf["secret_key"]
 	}
-	sessionToken := os.Getenv("AWS_SESSION_TOKEN")
-	if sessionToken == "" {
+	if os.Getenv("AWS_SESSION_TOKEN") == "" {
 		sessionToken = conf["session_token"]
 	}
 

diff --git a/vault/seal/awskms/awskms.go b/vault/seal/awskms/awskms.go
@@ -99,19 +99,16 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err
 		k.region = "us-east-1"
 	}
 
-	// Check and set AWS access key and secret key
-	k.accessKey = os.Getenv("AWS_ACCESS_KEY_ID")
-	if k.accessKey == "" {
-		if accessKey, ok := config["access_key"]; ok {
-			k.accessKey = accessKey
-		}
+	// Check and set AWS access key, secret key, and session token
+	var accessKey, secretKey, sessionToken string
+	if os.Getenv("AWS_ACCESS_KEY_ID") == "" {
+		accessKey = config["access_key"]
 	}
-
-	k.secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if k.secretKey == "" {
-		if secretKey, ok := config["secret_key"]; ok {
-			k.secretKey = secretKey
-		}
+	if os.Getenv("AWS_SECRET_ACCESS_KEY") == "" {
+		secretKey = config["secret_key"]
+	}
+	if os.Getenv("AWS_SESSION_TOKEN") == "" {
+		sessionToken = config["session_token"]
 	}
 
 	k.endpoint = os.Getenv("AWS_KMS_ENDPOINT")