From 974ab0f6b3b4b2796ca363dd229127552ef0b660 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Tue, 18 Dec 2018 18:33:28 -0500
Subject: [PATCH] Don't read AWS env vars

Let AWS SDK env cred chain provider do it for us

Fixes #5965
---
 physical/dynamodb/dynamodb.go | 14 ++++++--------
 vault/seal/awskms/awskms.go   | 21 +++++++++------------
 2 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/physical/dynamodb/dynamodb.go b/physical/dynamodb/dynamodb.go
index 3a08cca17371..7bf270c0c317 100644
--- a/physical/dynamodb/dynamodb.go
+++ b/physical/dynamodb/dynamodb.go
@@ -15,7 +15,7 @@ import (
 
 	log "github.com/hashicorp/go-hclog"
 
-	"github.com/armon/go-metrics"
+	metrics "github.com/armon/go-metrics"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -23,7 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
 	"github.com/hashicorp/errwrap"
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-uuid"
+	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/awsutil"
 	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/physical"
@@ -155,16 +155,14 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac
 		writeCapacity = DefaultDynamoDBWriteCapacity
 	}
 
-	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
-	if accessKey == "" {
+	var accessKey, secretKey, sessionToken string
+	if os.Getenv("AWS_ACCESS_KEY_ID") == "" {
 		accessKey = conf["access_key"]
 	}
-	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if secretKey == "" {
+	if os.Getenv("AWS_SECRET_ACCESS_KEY") == "" {
 		secretKey = conf["secret_key"]
 	}
-	sessionToken := os.Getenv("AWS_SESSION_TOKEN")
-	if sessionToken == "" {
+	if os.Getenv("AWS_SESSION_TOKEN") == "" {
 		sessionToken = conf["session_token"]
 	}
 
diff --git a/vault/seal/awskms/awskms.go b/vault/seal/awskms/awskms.go
index c0781f96ced5..d6e217938bec 100644
--- a/vault/seal/awskms/awskms.go
+++ b/vault/seal/awskms/awskms.go
@@ -99,19 +99,16 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err
 		k.region = "us-east-1"
 	}
 
-	// Check and set AWS access key and secret key
-	k.accessKey = os.Getenv("AWS_ACCESS_KEY_ID")
-	if k.accessKey == "" {
-		if accessKey, ok := config["access_key"]; ok {
-			k.accessKey = accessKey
-		}
+	// Check and set AWS access key, secret key, and session token
+	var accessKey, secretKey, sessionToken string
+	if os.Getenv("AWS_ACCESS_KEY_ID") == "" {
+		accessKey = config["access_key"]
 	}
-
-	k.secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if k.secretKey == "" {
-		if secretKey, ok := config["secret_key"]; ok {
-			k.secretKey = secretKey
-		}
+	if os.Getenv("AWS_SECRET_ACCESS_KEY") == "" {
+		secretKey = config["secret_key"]
+	}
+	if os.Getenv("AWS_SESSION_TOKEN") == "" {
+		sessionToken = config["session_token"]
 	}
 
 	k.endpoint = os.Getenv("AWS_KMS_ENDPOINT")