Skip to content

secrets/aws: disable environment and shared credential providers when using WIF #29982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 25, 2025
Merged

secrets/aws: disable environment and shared credential providers when using WIF #29982

merged 3 commits into from
Mar 25, 2025

Conversation

vinay-gopalan
Copy link
Contributor

Description

As of today, WIF is unusable in certain environments that make use of AWS Profiles or environment variables for other purposes, such as using KMS or HVD. This is due to the AWS Secrets Engine picking up the shared credentials in the environment, and adding multiple providers when generating its credential chain.

This PR explicitly disables Shared Credential and Environment Variable Providers if WIF parameters are explicitly set as part of the root AWS Config. If WIF is not being used, environment / shared credentials can be used as expected.

@vinay-gopalan vinay-gopalan requested a review from a team as a code owner March 20, 2025 21:47
@vinay-gopalan vinay-gopalan added this to the 1.19.1 milestone Mar 20, 2025
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Mar 20, 2025
@vinay-gopalan vinay-gopalan requested a review from a team as a code owner March 20, 2025 21:50
@vinay-gopalan vinay-gopalan requested a review from yankun91 March 20, 2025 21:50
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 20, 2025
edited
Loading

CI Results:
All Go tests succeeded! ✅

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 20, 2025
edited
Loading

Build Results:
All builds succeeded! ✅

@vinay-gopalan vinay-gopalan removed the request for review from yankun91 March 20, 2025 22:40
fairclothjm
fairclothjm reviewed Mar 21, 2025
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to add test coverage for this?

builtin/logical/aws/client.go

// explicitly disable environment and shared credential providers when using Web Identity Token Fetcher
// enables WIF usage in environments that may use AWS Profiles or environment variables for other use-cases
opts = append(opts, awsutil.WithEnvironmentCredentials(false), awsutil.WithSharedCredentials(false))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am understanding correctly, there will be no change in behavior for AWS WIF flows or any other AWS integration in Vault such as KMS?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly! This only controls the credential chain that the AWS Secrets Engine generates from its parameters and environment, and would not affect any other credential generations that AWS KMS or HVD use in their workflows. For context, here is the KMS wrapper for AWS generating its own credential chain for its uses, separate from the AWS Secrets Engine

This fix would only block env and shared credential providers if WIF was enabled, otherwise it defaults to the original behavior

@vinay-gopalan
Copy link
Contributor Author

Is it possible to add test coverage for this?

Good questions! Adding an acceptance test on the Vault side is a bit tricky, since we would need to confirm that the environment and shared credential providers are not included in the credential chain which I'm not sure is doable on the Vault side. However, there are already existing tests on the go-secure-stdlib side that confirm that setting these options to false works as expected, so I thought we could rely on the library side tests to validate the fix along with the manual testing to confirm that setting these values to false disables the credential providers. LMK if that sounds sufficient!

@vinay-gopalan vinay-gopalan merged commit a5d9a15 into main Mar 25, 2025
92 checks passed
@vinay-gopalan vinay-gopalan deleted the VAULT-25832/aws-disable-providers-with-wif branch March 25, 2025 17:37
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

Assignees
No one assigned
Labels
backport/1.19.x hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.19.1
Development

Successfully merging this pull request may close these issues.
2 participants
@vinay-gopalan @fairclothjm