Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS secret engine - fix generate_credentials for STS endpoint #934

Conversation

briantist
Copy link
Contributor

Fixes #930
Closes #932

The generate_credentials endpoint was not properly passing parameters when calling the sts endpoint, so all parameters were being ignored.

The method was also using the PUT verb, even though the docs specify POST. According to the Vault documentation this was ok because for the time being, the Vault API considered PUT and POST to be equivalent, however I've updated the method to use POST anyway.

Changes to generate_credentials:

  • Use _adapter.post() instead of _adapter.put()
  • Remove name from the parameters passed to the endpoint
  • Send the parameters to the endpoint properly (with the json parameter)
  • Add the role_session_name parameter to the method
  • Update documentation for the method

The addition of role_session_name means we'll release this in the next minor version after it gets merged.

@briantist briantist added bug enhancement a new feature or addition aws AWS auth method and/or secrets engine secrets engines generally related to a Vault secrets engine minor Used as part of release-drafter's version-resolver configuration labels Jan 8, 2023
@briantist briantist added this to the 1.1.0 milestone Jan 8, 2023
@briantist briantist self-assigned this Jan 8, 2023
@briantist briantist requested a review from a team as a code owner January 8, 2023 23:06
sunchill06
sunchill06 previously approved these changes Jan 9, 2023
Copy link

@sunchill06 sunchill06 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for taking care of this.

@briantist briantist force-pushed the secrets/aws/generate_credentials-param-passing branch from 187a10b to d70938d Compare January 27, 2023 23:39
@codecov
Copy link

codecov bot commented Jan 27, 2023

Codecov Report

Merging #934 (d70938d) into develop (026d6b5) will increase coverage by 0.21%.
The diff coverage is 50.00%.

@@             Coverage Diff             @@
##           develop     #934      +/-   ##
===========================================
+ Coverage    81.34%   81.55%   +0.21%     
===========================================
  Files           65       65              
  Lines         2969     3003      +34     
===========================================
+ Hits          2415     2449      +34     
  Misses         554      554              
Impacted Files Coverage Δ
hvac/api/secrets_engines/aws.py 96.15% <50.00%> (ø)
hvac/api/auth_methods/mfa.py 100.00% <0.00%> (ø)
hvac/api/secrets_engines/kv.py 100.00% <0.00%> (ø)
hvac/api/secrets_engines/identity.py 94.00% <0.00%> (+0.02%) ⬆️
hvac/utils.py 77.27% <0.00%> (+0.20%) ⬆️
hvac/adapters.py 86.73% <0.00%> (+0.27%) ⬆️
hvac/api/vault_api_category.py 95.12% <0.00%> (+0.67%) ⬆️
hvac/v1/__init__.py 85.71% <0.00%> (+1.89%) ⬆️

@briantist briantist merged commit b11a2ec into hvac:develop Feb 23, 2023
@briantist briantist deleted the secrets/aws/generate_credentials-param-passing branch February 23, 2023 04:13
@briantist
Copy link
Contributor Author

thanks for reviewing @dhuckins !

briantist added a commit that referenced this pull request Mar 6, 2023
briantist added a commit to briantist/hvac that referenced this pull request May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
aws AWS auth method and/or secrets engine bug enhancement a new feature or addition minor Used as part of release-drafter's version-resolver configuration secrets engines generally related to a Vault secrets engine
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to generate_credentials() for an AWS secret engine STS endpoint
3 participants