We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug
Greetings! Following /~https://github.com/hashicorp/go-secure-stdlib/pull/57/files we started to notice our applications could not connect to Vault via their IAM Role (in an EKS cluster).
I've debugged this to:
In Vault in /~https://github.com/hashicorp/vault/blob/main/api/auth/aws/aws.go#L152-L157 they create the CredentialsConfig like this:
credsConfig := awsutil.CredentialsConfig{ AccessKey: os.Getenv("AWS_ACCESS_KEY_ID"), SecretKey: os.Getenv("AWS_SECRET_ACCESS_KEY"), SessionToken: os.Getenv("AWS_SESSION_TOKEN"), Logger: logger, }
Instead of going through NewCredentialsConfig, the struct is created with most fields empty.
NewCredentialsConfig
This used to be okay because environment variables were then checked in GenerateCredentialChain, like this:
GenerateCredentialChain
go-secure-stdlib/awsutil/generate_credentials.go
Lines 151 to 162 in cd81001
But this changed with #57 where this was pushed in the struct initializer, so roleARN is not filled anymore from the environment by default.
roleARN
To Reproduce Steps to reproduce the behavior:
if auth, err = awsauth.NewAWSAuth(awsauth.WithRegion("us-east-1")); err != nil { return ErrorAWSSessionDetails(v.driver, nil, err) } if info, err = (*api.Client).Auth().Login(context.Background(), auth); err != nil { return errors.Errorf("unable to login to aws auth method with reason: %v", err) }
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.
Let me know if I can provide you with more details 👍
The text was updated successfully, but these errors were encountered:
Successfully merging a pull request may close this issue.
Describe the bug
Greetings! Following /~https://github.com/hashicorp/go-secure-stdlib/pull/57/files we started to notice our applications could not connect to Vault via their IAM Role (in an EKS cluster).
I've debugged this to:
In Vault in /~https://github.com/hashicorp/vault/blob/main/api/auth/aws/aws.go#L152-L157 they create the CredentialsConfig like this:
Instead of going through
NewCredentialsConfig, the struct is created with most fields empty.This used to be okay because environment variables were then checked in
GenerateCredentialChain, like this:go-secure-stdlib/awsutil/generate_credentials.go
Lines 151 to 162 in cd81001
But this changed with #57 where this was pushed in the struct initializer, so
roleARNis not filled anymore from the environment by default.To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Let me know if I can provide you with more details 👍
The text was updated successfully, but these errors were encountered: