Add AWS IAM Authentication to EnvironmentVaultConfiguration

pom.xml

@@ -234,6 +234,12 @@
 				<version>${aws-java-sdk.version}</version>
 				<optional>true</optional>
 			</dependency>
+			<dependency>
+				<groupId>software.amazon.awssdk</groupId>
+				<artifactId>sts</artifactId>
+				<version>${aws-java-sdk.version}</version>
+				<optional>true</optional>
+			</dependency>
 
 			<!-- GCP SDK -->
 			<dependency>

spring-vault-core/pom.xml

@@ -189,6 +189,21 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<groupId>software.amazon.awssdk</groupId>
+			<artifactId>sts</artifactId>
+			<optional>true</optional>
+			<exclusions>
+				<exclusion>
+					<groupId>software.amazon.ion</groupId>
+					<artifactId>ion-java</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.dataformat</groupId>
+					<artifactId>jackson-dataformat-cbor</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
 
 		<dependency>
 			<groupId>com.google.apis</groupId>

spring-vault-core/src/main/java/org/springframework/vault/config/EnvironmentVaultConfiguration.java

@@ -38,6 +38,7 @@
 import org.springframework.vault.authentication.AppRoleAuthenticationOptions.RoleId;
 import org.springframework.vault.authentication.AppRoleAuthenticationOptions.SecretId;
 import org.springframework.vault.authentication.AwsEc2AuthenticationOptions.AwsEc2AuthenticationOptionsBuilder;
+import org.springframework.vault.authentication.AwsIamAuthenticationOptions.AwsIamAuthenticationOptionsBuilder;
 import org.springframework.vault.authentication.AzureMsiAuthenticationOptions.AzureMsiAuthenticationOptionsBuilder;
 import org.springframework.vault.authentication.CubbyholeAuthenticationOptions.CubbyholeAuthenticationOptionsBuilder;
 import org.springframework.vault.authentication.KubernetesAuthenticationOptions.KubernetesAuthenticationOptionsBuilder;
@@ -46,6 +47,7 @@
 import org.springframework.vault.support.SslConfiguration.KeyStoreConfiguration;
 import org.springframework.vault.support.VaultToken;
 import org.springframework.web.client.RestOperations;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 
 /**
  * Configuration using Spring's {@link org.springframework.core.env.Environment} to
@@ -162,12 +164,14 @@
  * @author Raoof Mohammed
  * @author Justin Bertrand
  * @author Ryan Gow
+ * @author Nick Tan
  * @see org.springframework.core.env.Environment
  * @see org.springframework.core.env.PropertySource
  * @see VaultEndpoint
  * @see AppIdAuthentication
  * @see AppRoleAuthentication
  * @see AwsEc2Authentication
+ * @see AwsIamAuthentication
  * @see AzureMsiAuthentication
  * @see ClientCertificateAuthentication
  * @see CubbyholeAuthentication
@@ -264,6 +268,8 @@ public ClientAuthentication clientAuthentication() {
 			return appRoleAuthentication();
 		case AWS_EC2:
 			return awsEc2Authentication();
+		case AWS_IAM:
+			return awsIamAuthentication();
 		case AZURE:
 			return azureMsiAuthentication();
 		case CERT:
@@ -369,6 +375,17 @@ protected ClientAuthentication awsEc2Authentication() {
 		return new AwsEc2Authentication(builder.build(), restOperations(), restOperations());
 	}
 
+	protected ClientAuthentication awsIamAuthentication() {
+		String role = getProperty("vault.aws-iam.role");
+		Assert.isTrue(StringUtils.hasText(role),
+				"Vault AWS-IAM authentication: Role (vault.aws-iam.role) must not be empty");
+
+		AwsIamAuthenticationOptionsBuilder builder = AwsIamAuthenticationOptions.builder().role(role)
+				.credentialsProvider(DefaultCredentialsProvider.create());
+
+		return new AwsIamAuthentication(builder.build(), restOperations());
+	}
+
 	protected ClientAuthentication azureMsiAuthentication() {
 
 		String role = getProperty("vault.azure-msi.role");
@@ -454,7 +471,7 @@ enum AppIdUserId {
 
 	enum AuthenticationMethod {
 
-		TOKEN, APPID, APPROLE, AWS_EC2, AZURE, CERT, CUBBYHOLE, KUBERNETES;
+		TOKEN, APPID, APPROLE, AWS_EC2, AWS_IAM, AZURE, CERT, CUBBYHOLE, KUBERNETES;
 
 	}
 

spring-vault-core/src/test/java/org/springframework/vault/config/EnvironmentVaultConfigurationAwsIamAuthenticationUnitTests.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2017-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.vault.config;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.vault.authentication.AwsEc2Authentication;
+import org.springframework.vault.authentication.AwsIamAuthentication;
+import org.springframework.vault.authentication.ClientAuthentication;
+
+/**
+ * Unit tests for {@link EnvironmentVaultConfiguration} with AppRole authentication.
+ *
+ * @author Nick Tan
+ */
+@ExtendWith(SpringExtension.class)
+@TestPropertySource(
+		properties = { "vault.uri=https://localhost:8123", "vault.authentication=aws-iam", "vault.aws-iam.role=role" })
+class EnvironmentVaultConfigurationAwsIamAuthenticationUnitTests {
+
+	@Configuration
+	@Import(EnvironmentVaultConfiguration.class)
+	static class ApplicationConfiguration {
+
+	}
+
+	@Autowired
+	EnvironmentVaultConfiguration configuration;
+
+	@Test
+	void shouldConfigureAuthentication() {
+
+		ClientAuthentication clientAuthentication = this.configuration.clientAuthentication();
+
+		assertThat(clientAuthentication).isInstanceOf(AwsIamAuthentication.class);
+	}
+
+}