Skip to content

Commit

Permalink
Merge pull request #1178 from lstoll/lstoll-fix-validation
Browse files Browse the repository at this point in the history
Web identity profiles with role ARNs are valid
  • Loading branch information
mtibben authored Mar 6, 2023
2 parents ec5e53c + 50cc3bb commit b49b846
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
7 changes: 6 additions & 1 deletion vault/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -698,7 +698,12 @@ func (c *ProfileConfig) Validate() error {
}
if c.HasSourceProfile() {
n++
} else if c.HasRole() {
}
if c.HasRole() &&
// these cases require the role to be set in addition, so it's part of
// their credential.
!c.HasSourceProfile() &&
!c.HasWebIdentity() {
n++
}
if n > 1 {
Expand Down
10 changes: 10 additions & 0 deletions vault/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -635,6 +635,10 @@ source_profile = foo
region = eu-west-2
mfa_serial = arn:aws:iam::9999999999999:mfa/david
credential_process = true
[profile withwebidentity]
role_arn = arn:aws:iam::123457890:role/foo
web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw
`))
defer os.Remove(f)
configFile, _ := vault.LoadConfig(f)
Expand All @@ -651,4 +655,10 @@ credential_process = true
if err == nil {
t.Fatalf("Should have failed validation: %v", err)
}

config, _ = configLoader.GetProfileConfig("withwebidentity")
err = config.Validate()
if err != nil {
t.Fatalf("Should have validated withwebidentity: %v", err)
}
}

0 comments on commit b49b846

Please sign in to comment.