From 50cc3bbd5f33f059f8b78a44ef14d813495c2cb9 Mon Sep 17 00:00:00 2001 From: Lincoln Stoll Date: Mon, 6 Mar 2023 18:52:10 +0100 Subject: [PATCH] Web identity profiles with role ARNs are valid Profiles that specify web identity process or files require the role ARN to be set as well. Since the 7.0.0 release, this has been failing validation because it is now considered to have two sources of credentials. This fixes the validation to correctly consider this as a profile with one source credential. Fixes #1177 --- vault/config.go | 7 ++++++- vault/config_test.go | 10 ++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/vault/config.go b/vault/config.go index bc8c6eca4..f769b772d 100644 --- a/vault/config.go +++ b/vault/config.go @@ -698,7 +698,12 @@ func (c *ProfileConfig) Validate() error { } if c.HasSourceProfile() { n++ - } else if c.HasRole() { + } + if c.HasRole() && + // these cases require the role to be set in addition, so it's part of + // their credential. + !c.HasSourceProfile() && + !c.HasWebIdentity() { n++ } if n > 1 { diff --git a/vault/config_test.go b/vault/config_test.go index 3e3644ab0..c69c116db 100644 --- a/vault/config_test.go +++ b/vault/config_test.go @@ -635,6 +635,10 @@ source_profile = foo region = eu-west-2 mfa_serial = arn:aws:iam::9999999999999:mfa/david credential_process = true + +[profile withwebidentity] +role_arn = arn:aws:iam::123457890:role/foo +web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw `)) defer os.Remove(f) configFile, _ := vault.LoadConfig(f) @@ -651,4 +655,10 @@ credential_process = true if err == nil { t.Fatalf("Should have failed validation: %v", err) } + + config, _ = configLoader.GetProfileConfig("withwebidentity") + err = config.Validate() + if err != nil { + t.Fatalf("Should have validated withwebidentity: %v", err) + } }