Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acl: Adjust region handling in AWS IAM auth method #12774

Merged
merged 3 commits into from
Apr 13, 2022
Merged

acl: Adjust region handling in AWS IAM auth method #12774

merged 3 commits into from
Apr 13, 2022

Conversation

pglass
Copy link

@pglass pglass commented Apr 13, 2022

This improves region handling in the AWS IAM auth method:

  1. Server-side, do not send sts:GetCallerIdentity requests to the global STS endpoint, by default. This causes login failures when the sts:GetCallerIdentity request is signed for a region-specific endpoint. Instead, validate the STS URL in the bearer token and send the request to that URL.
  2. Remove the STSRegion field from the auth method config, which is unused (note that an internal field of the same name still exists for generating the bearer token client-side. This one is still used)
  3. Client-side, use the AWS SDK's native regional endpoint selection for STS. This cleans up semi-custom endpoint selection code from Vault.

Closes #12661

@pglass pglass requested a review from rboyer April 13, 2022 16:22
@rboyer rboyer added this to the 1.12.0 milestone Apr 13, 2022
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging April 13, 2022 16:31 Inactive
@vercel vercel bot temporarily deployed to Preview – consul April 13, 2022 16:31 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging April 13, 2022 16:33 Inactive
@vercel vercel bot temporarily deployed to Preview – consul April 13, 2022 16:33 Inactive
@rboyer rboyer added the backport-inactive/1.12 This release series is no longer active label Apr 13, 2022
@pglass pglass merged commit 99f373d into main Apr 13, 2022
@pglass pglass deleted the pglass/iam-auth-region-tweaks branch April 13, 2022 19:31
@hc-github-team-consul-core
Copy link
Collaborator

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/637653.

@hc-github-team-consul-core
Copy link
Collaborator

🍒✅ Cherry pick of commit 99f373d onto release/1.12.x succeeded!

hc-github-team-consul-core pushed a commit that referenced this pull request Apr 13, 2022
@hc-github-team-consul-core
acl: Adjust region handling in AWS IAM auth method (#12774)
9553d39 
* acl: Adjust region handling in AWS IAM auth method
@eculver eculver restored the pglass/iam-auth-region-tweaks branch April 14, 2022 23:38
@eculver eculver deleted the pglass/iam-auth-region-tweaks branch April 14, 2022 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rboyer rboyer rboyer approved these changes

Assignees
No one assigned
Labels
backport-inactive/1.12 This release series is no longer active pr/no-metrics-test
Projects
None yet
Milestone
1.12.0
Development

Successfully merging this pull request may close these issues.

IAM Auth Method: Remove stsSigningResolver?
3 participants
@pglass @hc-github-team-consul-core @rboyer