Allow AWS IAM authentication in regions. (#243)

The region defaults to the currently hard-coded us-east-1.
hvac · Aug 6, 2018 · 0ecd399 · 0ecd399
1 parent ce05960
commit 0ecd399
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/hvac/aws_utils.py b/hvac/aws_utils.py
@@ -5,10 +5,11 @@
 
 
 class SigV4Auth(object):
-    def __init__(self, access_key, secret_key, session_token=None):
+    def __init__(self, access_key, secret_key, session_token=None, region='us-east-1'):
         self.access_key = access_key
         self.secret_key = secret_key
         self.session_token = session_token
+        self.region = region
 
     def add_auth(self, request):
         timestamp = datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')
@@ -25,14 +26,14 @@ def add_auth(self, request):
 
         # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
         algorithm = 'AWS4-HMAC-SHA256'
-        credential_scope = '/'.join([timestamp[0:8], 'us-east-1', 'sts', 'aws4_request'])
+        credential_scope = '/'.join([timestamp[0:8], self.region, 'sts', 'aws4_request'])
         canonical_request_hash = sha256(canonical_request.encode('utf-8')).hexdigest()
         string_to_sign = '\n'.join([algorithm, timestamp, credential_scope, canonical_request_hash])
 
         # https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
         key = 'AWS4{0}'.format(self.secret_key).encode('utf-8')
         key = hmac.new(key, timestamp[0:8].encode('utf-8'), sha256).digest()
-        key = hmac.new(key, 'us-east-1'.encode('utf-8'), sha256).digest()
+        key = hmac.new(key, self.region.encode('utf-8'), sha256).digest()
         key = hmac.new(key, 'sts'.encode('utf-8'), sha256).digest()
         key = hmac.new(key, 'aws4_request'.encode('utf-8'), sha256).digest()
         signature = hmac.new(key, string_to_sign.encode('utf-8'), sha256).hexdigest()

diff --git a/hvac/v1/__init__.py b/hvac/v1/__init__.py
@@ -1075,7 +1075,7 @@ def auth_userpass(self, username, password, mount_point='userpass', use_token=Tr
 
         return self.auth('/v1/auth/{0}/login/{1}'.format(mount_point, username), json=params, use_token=use_token)
 
-    def auth_aws_iam(self, access_key, secret_key, session_token=None, header_value=None, mount_point='aws', role='', use_token=True):
+    def auth_aws_iam(self, access_key, secret_key, session_token=None, header_value=None, mount_point='aws', role='', use_token=True, region='us-east-1'):
         """POST /auth/<mount point>/login
 
         :param access_key: AWS IAM access key ID
@@ -1105,7 +1105,7 @@ def auth_aws_iam(self, access_key, secret_key, session_token=None, header_value=
         """
         request = aws_utils.generate_sigv4_auth_request(header_value=header_value)
 
-        auth = aws_utils.SigV4Auth(access_key, secret_key, session_token)
+        auth = aws_utils.SigV4Auth(access_key, secret_key, session_token, region)
         auth.add_auth(request)
 
         # https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go