Skip to content

Commit

Permalink
Remove config validtion. Debug logs show which credential source is used
Browse files Browse the repository at this point in the history
  • Loading branch information
mtibben committed Mar 9, 2023
1 parent 73bd342 commit cda0841
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 94 deletions.
32 changes: 0 additions & 32 deletions vault/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -680,35 +680,3 @@ func (c *ProfileConfig) GetSessionTokenDuration() time.Duration {
}
return c.NonChainedGetSessionTokenDuration
}

func (c *ProfileConfig) Validate() error {
if c.HasSSOSession() && !c.HasSSOStartURL() {
return fmt.Errorf("profile '%s' has sso_session but no sso_start_url", c.ProfileName)
}

n := 0
if c.HasSSOStartURL() {
n++
}
if c.HasWebIdentity() {
n++
}
if c.HasCredentialProcess() {
n++
}
if c.HasSourceProfile() {
n++
}
if c.HasRole() &&
// these cases require the role to be set in addition, so it's part of
// their credential.
!c.HasSourceProfile() &&
!c.HasWebIdentity() {
n++
}
if n > 1 {
return fmt.Errorf("profile '%s' has more than one source of credentials", c.ProfileName)
}

return nil
}
46 changes: 0 additions & 46 deletions vault/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -616,49 +616,3 @@ source_profile = interim
t.Fatalf("Expected transitive_session_tags to be empty, got %+v", baseConfig.TransitiveSessionTags)
}
}

func TestValidConfigValidation(t *testing.T) {
f := newConfigFile(t, []byte(`
[profile foo]
region = eu-west-1
mfa_serial = arn:aws:iam::9999999999999:mfa/david
[profile foo:staging]
role_arn = arn:aws:iam::1111111111111:role/admin
source_profile = foo
region = eu-west-2
mfa_serial = arn:aws:iam::9999999999999:mfa/david
[profile foo:production]
role_arn = arn:aws:iam::1111111111111:role/admin
source_profile = foo
region = eu-west-2
mfa_serial = arn:aws:iam::9999999999999:mfa/david
credential_process = true
[profile withwebidentity]
role_arn = arn:aws:iam::123457890:role/foo
web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw
`))
defer os.Remove(f)
configFile, _ := vault.LoadConfig(f)
configLoader := &vault.ConfigLoader{File: configFile}

config, _ := configLoader.GetProfileConfig("foo:staging")
err := config.Validate()
if err != nil {
t.Fatalf("Should have validated: %v", err)
}

config, _ = configLoader.GetProfileConfig("foo:production")
err = config.Validate()
if err == nil {
t.Fatalf("Should have failed validation: %v", err)
}

config, _ = configLoader.GetProfileConfig("withwebidentity")
err = config.Validate()
if err != nil {
t.Fatalf("Should have validated withwebidentity: %v", err)
}
}
29 changes: 13 additions & 16 deletions vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,24 +257,21 @@ func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig) (sourcecredsPro
}

func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
if err := config.Validate(); err != nil {
return nil, err
}

if config.HasSSOStartURL() {
log.Printf("profile %s: using SSO role credentials", config.ProfileName)
return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
}
if !t.Keyring.HasStoredCredential(config.ProfileName) {
if config.HasSSOStartURL() {
log.Printf("profile %s: using SSO role credentials", config.ProfileName)
return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
}

if config.HasWebIdentity() {
log.Printf("profile %s: using web identity", config.ProfileName)
return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
}
if config.HasWebIdentity() {
log.Printf("profile %s: using web identity", config.ProfileName)
return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
}

storedCredentialForProfile := t.Keyring.HasStoredCredential(config.ProfileName)
if !storedCredentialForProfile && config.HasCredentialProcess() {
log.Printf("profile %s: using credential process", config.ProfileName)
return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
if config.HasCredentialProcess() {
log.Printf("profile %s: using credential process", config.ProfileName)
return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
}
}

sourcecredsProvider, err := t.getSourceCreds(config)
Expand Down

0 comments on commit cda0841

Please sign in to comment.