Also handle role tags

hashicorp · Sep 9, 2017 · ef6ca2c · ef6ca2c
1 parent 23390e4
commit ef6ca2c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/builtin/credential/aws/path_role_tag.go b/builtin/credential/aws/path_role_tag.go
@@ -124,6 +124,10 @@ func (b *backend) pathRoleTagUpdate(
 		resp.AddWarning("Role does not allow instance migration. Login will not be allowed with this tag unless the role value is updated.")
 	}
 
+	if disallowReauthentication && allowInstanceMigration {
+		return logical.ErrorResponse("cannot set both disallow_reauthentication and allow_instance_migration"), nil
+	}
+
 	// max_ttl for the role tag should be less than the max_ttl set on the role.
 	maxTTL := time.Duration(data.Get("max_ttl").(int)) * time.Second
 

diff --git a/website/source/api/auth/aws/index.html.md b/website/source/api/auth/aws/index.html.md
@@ -842,9 +842,11 @@ given instance can be allowed to gain in a worst-case scenario.
   the metadata document, so essentially, this disables the client nonce check
   whenever the instance is migrated to a new host and pendingTime is newer than
   the previously-remembered time. Use with caution. Defaults to 'false'.
+  Mutually exclusive with `disallow_reauthentication`.
 - `disallow_reauthentication` `(bool: false)` - If set, only allows a single
   token to be granted per instance ID. This can be cleared with the
-  auth/aws/identity-whitelist endpoint. Defaults to 'false'.
+  auth/aws/identity-whitelist endpoint. Defaults to 'false'. Mutually exclusive
+  with `allow_instance_migration`.
 
 ### Sample Payload