-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth/aws: Allow binding by EC2 instance IDs #3816
Changes from 22 commits
650f3d8
9439d2d
fb33b63
8c8c001
2233aba
ac4c31e
ebe9daf
c109477
c342691
71bd5e1
41c364f
0a2b550
a9d039a
4047948
1f3b7f6
1b2ee76
0eb5757
d0e4532
d32d856
0a71e7b
5f3c341
b14f055
c5c4f19
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -71,6 +71,13 @@ with an IAM instance profile ARN which has a prefix that matches | |
one of the values specified by this parameter. The value is prefix-matched | ||
(as though it were a glob ending in '*'). This is only applicable when | ||
auth_type is ec2 or inferred_entity_type is ec2_instance.`, | ||
}, | ||
"bound_ec2_instance_id": { | ||
Type: framework.TypeCommaStringSlice, | ||
Description: `If set, defines a constraint on the EC2 instances to have one of the | ||
given instance IDs. Can be a list or comma-separated string of EC2 instance | ||
IDs. This is only applicable when auth_type is ec2 or inferred_entity_type is | ||
ec2_instance.`, | ||
}, | ||
"resolve_aws_unique_ids": { | ||
Type: framework.TypeBool, | ||
|
@@ -548,6 +555,10 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request | |
roleEntry.BoundIamInstanceProfileARNs = boundIamInstanceProfileARNRaw.([]string) | ||
} | ||
|
||
if boundEc2InstanceIDRaw, ok := data.GetOk("bound_ec2_instance_id"); ok { | ||
roleEntry.BoundEc2InstanceIDs = boundEc2InstanceIDRaw.([]string) | ||
} | ||
|
||
if boundIamPrincipalARNRaw, ok := data.GetOk("bound_iam_principal_arn"); ok { | ||
principalARNs := boundIamPrincipalARNRaw.([]string) | ||
roleEntry.BoundIamPrincipalARNs = principalARNs | ||
|
@@ -647,6 +658,13 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request | |
numBinds++ | ||
} | ||
|
||
if len(roleEntry.BoundEc2InstanceIDs) > 0 { | ||
if !allowEc2Binds { | ||
return logical.ErrorResponse(fmt.Sprintf("specified bound_ec2_instance_id but not allowing ec2 auth_type or inferring %s", ec2EntityType)), nil | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This language is slightly awkward in that you don't "allow" ec2 auth type. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, it's a little awkward, but that's exactly what all the other error messages say. I've updated everywhere to use specifying instead of allowing, I think that's more accurate. |
||
} | ||
numBinds++ | ||
} | ||
|
||
if len(roleEntry.BoundIamRoleARNs) > 0 { | ||
if !allowEc2Binds { | ||
return logical.ErrorResponse(fmt.Sprintf("specified bound_iam_role_arn but not allowing ec2 auth_type or inferring %s", ec2EntityType)), nil | ||
|
@@ -794,6 +812,7 @@ type awsRoleEntry struct { | |
AuthType string `json:"auth_type" ` | ||
BoundAmiIDs []string `json:"bound_ami_id_list"` | ||
BoundAccountIDs []string `json:"bound_account_id_list"` | ||
BoundEc2InstanceIDs []string `json:"bound_ec2_instance_id_list"` | ||
BoundIamPrincipalARNs []string `json:"bound_iam_principal_arn_list"` | ||
BoundIamPrincipalIDs []string `json:"bound_iam_principal_id_list"` | ||
BoundIamRoleARNs []string `json:"bound_iam_role_arn_list"` | ||
|
@@ -830,6 +849,7 @@ func (r *awsRoleEntry) ToResponseData() map[string]interface{} { | |
"auth_type": r.AuthType, | ||
"bound_ami_id": r.BoundAmiIDs, | ||
"bound_account_id": r.BoundAccountIDs, | ||
"bound_ec2_instance_id": r.BoundEc2InstanceIDs, | ||
"bound_iam_principal_arn": r.BoundIamPrincipalARNs, | ||
"bound_iam_principal_id": r.BoundIamPrincipalIDs, | ||
"bound_iam_role_arn": r.BoundIamRoleARNs, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason you explicitly dereference the pointer here and in the next line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dereference it here so I don't get a compiler error:
I dereference it in the next line so that it shows up as expected in the error message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, forgot about how it's all pointers in AWS land. Sounds good!