diff --git a/go.mod b/go.mod index 4fbd01af569d..0cf33b894949 100644 --- a/go.mod +++ b/go.mod @@ -84,7 +84,7 @@ require ( github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5 github.com/hashicorp/vault-plugin-secrets-azure v0.5.6 - github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d + github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.5 github.com/hashicorp/vault-plugin-secrets-kv v0.5.5 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.1.2 diff --git a/go.sum b/go.sum index 809d2ec3d16a..907d00cf2ab3 100644 --- a/go.sum +++ b/go.sum @@ -412,22 +412,16 @@ github.com/hashicorp/vault-plugin-auth-oci v0.5.4 h1:Hoauxh1V8Lusf7BRs+yXfoDTFQz github.com/hashicorp/vault-plugin-auth-oci v0.5.4/go.mod h1:j05O2b9fw2Q82NxDPhHMYVfHKvitUYGWfmqmpBdqmmc= github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4 h1:YE4qndazWmYGpVOoZI7nDGG+gwTZKzL1Ou4WZQ+Tdxk= github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4/go.mod h1:QjGrrxcRXv/4XkEZAlM0VMZEa3uxKAICFqDj27FP/48= -github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.1 h1:fA6cFH8lIPH2M4KNTEzf1bpc6Tbyy5ZvoYP8H/TI9ts= -github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.1/go.mod h1:MP3kfr0N+7miOTZFwKv952b9VkXM4S2Q6YtQCiNKWq8= github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.2-0.20200520204052-f840e9d4895c h1:P9rZXBJx+UHu/T8lK8NEtS2PGeSnyZ31zeOtkvGo4yo= github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.2-0.20200520204052-f840e9d4895c/go.mod h1:MP3kfr0N+7miOTZFwKv952b9VkXM4S2Q6YtQCiNKWq8= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.4-beta1.0.20200518124111-3dceeb3ce90e h1:0GK1BNBfglD2sydZ4XXMjJElhY8bC2TDdc0vk1Q9zbA= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.4-beta1.0.20200518124111-3dceeb3ce90e/go.mod h1:SCsKcChP8yrtOHXOeTD7oRk0oflj3IxA9y9zTOGtQ8s= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.5 h1:wrHzXSD6qmKvkuHaQn+BNj89+HGhMNchxAckGnd7YTc= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.5/go.mod h1:kk98nB+cwDbt3I7UGQq3ota7+eHZrGSTQZfSRGpluvA= github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f h1:2pbH2I37C40+VvC5YkQONEwcqqFLNzsoFxJPiWaZZHE= github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f/go.mod h1:kk98nB+cwDbt3I7UGQq3ota7+eHZrGSTQZfSRGpluvA= github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5 h1:BOOtSls+BQ1EtPmpE9LoqZztsEZ1fRWVSkHWtRIrCB4= github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5/go.mod h1:gAoReoUpBHaBwkxQqTK7FY8nQC0MuaZHLiW5WOSny5g= github.com/hashicorp/vault-plugin-secrets-azure v0.5.6 h1:4PgQ5rCT29wW5PMyebEhPkEYuR5s+SnInuZz3x2cP50= github.com/hashicorp/vault-plugin-secrets-azure v0.5.6/go.mod h1:Q0cIL4kZWnMmQWkBfWtyOd7+JXTEpAyU4L932PMHq3E= -github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d h1:gW4j9YChsCbGp8Uky+XDCam/+CBtFwV8SnPuQR5tPVE= -github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d/go.mod h1:jVTE1fuhRcBOb/gnCT9W++AnlwiyQEX4S8iVCKhKQsE= +github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5 h1:X8jtQvuyLh6ZIFUQmG7Ky2QVQZCulz2BB/vroM6xTVc= +github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5/go.mod h1:jVTE1fuhRcBOb/gnCT9W++AnlwiyQEX4S8iVCKhKQsE= github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.5 h1:NigzA2v+h+cjBPl41pRirRwWELF+RPJGch/ys0Sijrc= github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.5/go.mod h1:b6RwFD1bny1zbfqhD35iGJdQYHRtJLx3HfBD109GO38= github.com/hashicorp/vault-plugin-secrets-kv v0.5.5 h1:yLtfsAiJOkpRkk+OxQmFluQJ35OUw420Y+CwfGMWuSc= diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go index f32ed7d7895c..32b62b670617 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go @@ -362,6 +362,9 @@ func (b *backend) pathRoleSetCreateUpdate(ctx context.Context, req *logical.Requ // If no new bindings or new bindings are exactly same as old bindings, // just update the role set without rotating service account. if !newBindings || rs.bindingHash() == getStringHash(bRaw.(string)) { + if rs.TokenGen != nil { + rs.TokenGen.Scopes = scopes + } // Just save role with updated metadata: if err := rs.save(ctx, req.Storage); err != nil { return logical.ErrorResponse(err.Error()), nil diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go b/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go index 83c134a56e2a..b4bdcc6a9f62 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/awsutil/generate_credentials.go @@ -3,10 +3,15 @@ package awsutil import ( "fmt" "net/http" + "os" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/defaults" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/sts" + "github.com/pkg/errors" ) type CredentialsConfig struct { @@ -54,6 +59,20 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, "static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)") } + roleARN := os.Getenv("AWS_ROLE_ARN") + tokenPath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + sessionName := os.Getenv("AWS_ROLE_SESSION_NAME") + if roleARN != "" && tokenPath != "" && sessionName != "" { + // this session is only created to create the WebIdentityRoleProvider, as the env variables are already there + // this automatically assumes the role, but the provider needs to be added to the chain + sess, err := session.NewSession() + if err != nil { + return nil, errors.Wrap(err, "error creating a new session to create a WebIdentityRoleProvider") + } + //Add the web identity role credential provider + providers = append(providers, stscreds.NewWebIdentityRoleProvider(sts.New(sess), roleARN, sessionName, tokenPath)) + } + // Add the environment credential provider providers = append(providers, &credentials.EnvProvider{}) @@ -77,7 +96,7 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, // Create the credentials required to access the API. creds := credentials.NewChainCredentials(providers) if creds == nil { - return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata") + return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, web identity or instance metadata") } return creds, nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 702d326764a0..58753d20008f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -416,7 +416,7 @@ github.com/hashicorp/vault-plugin-secrets-alicloud github.com/hashicorp/vault-plugin-secrets-alicloud/clients # github.com/hashicorp/vault-plugin-secrets-azure v0.5.6 github.com/hashicorp/vault-plugin-secrets-azure -# github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200507171538-2548e2b5058d +# github.com/hashicorp/vault-plugin-secrets-gcp v0.6.2-0.20200617162044-4a67a90aaca5 github.com/hashicorp/vault-plugin-secrets-gcp/plugin github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util