-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
path_config_rotate_root.go
209 lines (186 loc) · 7.52 KB
/
path_config_rotate_root.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
package awsauth
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/iam/iamiface"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/awsutil"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func (b *backend) pathConfigRotateRoot() *framework.Path {
return &framework.Path{
Pattern: "config/rotate-root",
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathConfigRotateRootUpdate,
},
},
HelpSynopsis: pathConfigRotateRootHelpSyn,
HelpDescription: pathConfigRotateRootHelpDesc,
}
}
func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
// First get the AWS key and secret and validate that we _can_ rotate them.
// We need the read lock here to prevent anything else from mutating it while we're using it.
b.configMutex.Lock()
defer b.configMutex.Unlock()
clientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage)
if err != nil {
return nil, err
}
if clientConf == nil {
return logical.ErrorResponse(`can't update client config because it's unset`), nil
}
if clientConf.AccessKey == "" {
return logical.ErrorResponse("can't update access_key because it's unset"), nil
}
if clientConf.SecretKey == "" {
return logical.ErrorResponse("can't update secret_key because it's unset"), nil
}
// Getting our client through the b.clientIAM method requires values retrieved through
// the user providing an ARN, which we don't have here, so let's just directly
// make what we need.
staticCreds := &credentials.StaticProvider{
Value: credentials.Value{
AccessKeyID: clientConf.AccessKey,
SecretAccessKey: clientConf.SecretKey,
},
}
// By default, leave the iamEndpoint nil to tell AWS it's unset. However, if it is
// configured, populate the pointer.
var iamEndpoint *string
if clientConf.IAMEndpoint != "" {
iamEndpoint = aws.String(clientConf.IAMEndpoint)
}
// Attempt to retrieve the region, error out if no region is provided.
region, err := awsutil.GetRegion("")
if err != nil {
return nil, fmt.Errorf("error retrieving region: %w", err)
}
awsConfig := &aws.Config{
Credentials: credentials.NewCredentials(staticCreds),
Endpoint: iamEndpoint,
// Generally speaking, GetRegion will use the Vault server's region. However, if this
// needs to be overridden, an easy way would be to set the AWS_DEFAULT_REGION on the Vault server
// to the desired region. If that's still insufficient for someone's use case, in the future we
// could add the ability to specify the region either on the client config or as part of the
// inbound rotation call.
Region: aws.String(region),
// Prevents races.
HTTPClient: cleanhttp.DefaultClient(),
}
sess, err := session.NewSession(awsConfig)
if err != nil {
return nil, err
}
iamClient := getIAMClient(sess)
// Get the current user's name since it's required to create an access key.
// Empty input means get the current user.
var getUserInput iam.GetUserInput
getUserRes, err := iamClient.GetUser(&getUserInput)
if err != nil {
return nil, fmt.Errorf("error calling GetUser: %w", err)
}
if getUserRes == nil {
return nil, fmt.Errorf("nil response from GetUser")
}
if getUserRes.User == nil {
return nil, fmt.Errorf("nil user returned from GetUser")
}
if getUserRes.User.UserName == nil {
return nil, fmt.Errorf("nil UserName returned from GetUser")
}
// Create the new access key and secret.
createAccessKeyInput := iam.CreateAccessKeyInput{
UserName: getUserRes.User.UserName,
}
createAccessKeyRes, err := iamClient.CreateAccessKey(&createAccessKeyInput)
if err != nil {
return nil, fmt.Errorf("error calling CreateAccessKey: %w", err)
}
if createAccessKeyRes.AccessKey == nil {
return nil, fmt.Errorf("nil response from CreateAccessKey")
}
if createAccessKeyRes.AccessKey.AccessKeyId == nil || createAccessKeyRes.AccessKey.SecretAccessKey == nil {
return nil, fmt.Errorf("nil AccessKeyId or SecretAccessKey returned from CreateAccessKey")
}
// We're about to attempt to store the newly created key and secret, but just in case we can't,
// let's clean up after ourselves.
storedNewConf := false
var errs error
defer func() {
if storedNewConf {
return
}
// Attempt to delete the access key and secret we created but couldn't store and use.
deleteAccessKeyInput := iam.DeleteAccessKeyInput{
AccessKeyId: createAccessKeyRes.AccessKey.AccessKeyId,
UserName: getUserRes.User.UserName,
}
if _, err := iamClient.DeleteAccessKey(&deleteAccessKeyInput); err != nil {
// Include this error in the errs returned by this method.
errs = multierror.Append(errs, fmt.Errorf("error deleting newly created but unstored access key ID %s: %s", *createAccessKeyRes.AccessKey.AccessKeyId, err))
}
}()
oldAccessKey := clientConf.AccessKey
clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey
// Now get ready to update storage, doing everything beforehand so we can minimize how long
// we need to hold onto the lock.
newEntry, err := b.configClientToEntry(clientConf)
if err != nil {
errs = multierror.Append(errs, fmt.Errorf("error generating new client config JSON: %w", err))
return nil, errs
}
// Someday we may want to allow the user to send a number of seconds to wait here
// before deleting the previous access key to allow work to complete. That would allow
// AWS, which is eventually consistent, to finish populating the new key in all places.
if err := req.Storage.Put(ctx, newEntry); err != nil {
errs = multierror.Append(errs, fmt.Errorf("error saving new client config: %w", err))
return nil, errs
}
storedNewConf = true
// Previous cached clients need to be cleared because they may have been made using
// the soon-to-be-obsolete credentials.
b.IAMClientsMap = make(map[string]map[string]*iam.IAM)
b.EC2ClientsMap = make(map[string]map[string]*ec2.EC2)
// Now to clean up the old key.
deleteAccessKeyInput := iam.DeleteAccessKeyInput{
AccessKeyId: aws.String(oldAccessKey),
UserName: getUserRes.User.UserName,
}
if _, err = iamClient.DeleteAccessKey(&deleteAccessKeyInput); err != nil {
errs = multierror.Append(errs, fmt.Errorf("error deleting old access key ID %s: %w", oldAccessKey, err))
return nil, errs
}
return &logical.Response{
Data: map[string]interface{}{
"access_key": clientConf.AccessKey,
},
}, nil
}
// getIAMClient allows us to change how an IAM client is created
// during testing. The AWS SDK doesn't easily lend itself to testing
// using a Go httptest server because if you inject a test URL into
// the config, the client strips important information about which
// endpoint it's hitting. Per
// https://aws.amazon.com/blogs/developer/mocking-out-then-aws-sdk-for-go-for-unit-testing/,
// this is the recommended approach.
var getIAMClient = func(sess *session.Session) iamiface.IAMAPI {
return iam.New(sess)
}
const pathConfigRotateRootHelpSyn = `
Request to rotate the AWS credentials used by Vault
`
const pathConfigRotateRootHelpDesc = `
This path attempts to rotate the AWS credentials used by Vault for this mount.
It is only valid if Vault has been configured to use AWS IAM credentials via the
config/client endpoint.
`