From 9532ac3315514609497a1b28db1a20e7dd50dd9d Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Tue, 18 Dec 2018 18:41:05 -0500
Subject: [PATCH] Change credential_types output to credential_type

Fixes #5972
---
 CHANGELOG.md                      |  8 ++++++++
 builtin/logical/aws/path_roles.go | 12 ++++++------
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 03c4a772a661..c30177d063ba 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 1.0.2 (Unreleased)
+
+CHANGES:
+
+ * secret/aws: Role now returns `credential_type` instead of `credential_types`
+   to match role input. If a legacy role that can supply more than one
+   credential type, they will be concatenated with a `,`.
+
 ## 1.0.1 (December 14th, 2018)
 
 SECURITY:
diff --git a/builtin/logical/aws/path_roles.go b/builtin/logical/aws/path_roles.go
index a3a30f5617cd..c02c752af3f3 100644
--- a/builtin/logical/aws/path_roles.go
+++ b/builtin/logical/aws/path_roles.go
@@ -429,12 +429,12 @@ type awsRoleEntry struct {
 
 func (r *awsRoleEntry) toResponseData() map[string]interface{} {
 	respData := map[string]interface{}{
-		"credential_types": r.CredentialTypes,
-		"policy_arns":      r.PolicyArns,
-		"role_arns":        r.RoleArns,
-		"policy_document":  r.PolicyDocument,
-		"default_sts_ttl":  int64(r.DefaultSTSTTL.Seconds()),
-		"max_sts_ttl":      int64(r.MaxSTSTTL.Seconds()),
+		"credential_type": strings.Join(r.CredentialTypes, ","),
+		"policy_arns":     r.PolicyArns,
+		"role_arns":       r.RoleArns,
+		"policy_document": r.PolicyDocument,
+		"default_sts_ttl": int64(r.DefaultSTSTTL.Seconds()),
+		"max_sts_ttl":     int64(r.MaxSTSTTL.Seconds()),
 	}
 	if r.InvalidData != "" {
 		respData["invalid_data"] = r.InvalidData