Skip to content

secrets/aws: disable environment and shared credential providers when using WIF #29982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 25, 2025
Merged

secrets/aws: disable environment and shared credential providers when using WIF #29982

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dc9a9e7
disable environment and shared credentials when using WIF
vinay-gopalan Mar 20, 2025
9756108
add changelog
vinay-gopalan Mar 20, 2025
e429ead
update changelog based on feeedback
vinay-gopalan Mar 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion builtin/logical/aws/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
}
}

opts := make([]awsutil.Option, 0)
if config.IdentityTokenAudience != "" {
ns, err := namespace.FromContext(ctx)
if err != nil {
Expand All @@ -115,6 +116,10 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
credsConfig.RoleSessionName = fmt.Sprintf("vault-aws-secrets-%s", sessionSuffix)
credsConfig.WebIdentityTokenFetcher = fetcher
credsConfig.RoleARN = config.RoleARN

// explicitly disable environment and shared credential providers when using Web Identity Token Fetcher
// enables WIF usage in environments that may use AWS Profiles or environment variables for other use-cases
opts = append(opts, awsutil.WithEnvironmentCredentials(false), awsutil.WithSharedCredentials(false))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am understanding correctly, there will be no change in behavior for AWS WIF flows or any other AWS integration in Vault such as KMS?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly! This only controls the credential chain that the AWS Secrets Engine generates from its parameters and environment, and would not affect any other credential generations that AWS KMS or HVD use in their workflows. For context, here is the KMS wrapper for AWS generating its own credential chain for its uses, separate from the AWS Secrets Engine

This fix would only block env and shared credential providers if WIF was enabled, otherwise it defaults to the original behavior

}

if len(regions) == 0 {
Expand All @@ -132,7 +137,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
} else {
credsConfig.Region = fallbackRegion
}
creds, err := credsConfig.GenerateCredentialChain()
creds, err := credsConfig.GenerateCredentialChain(opts...)
if err != nil {
return nil, err
}
Expand Down
3 changes: 3 additions & 0 deletions changelog/29982.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration
```
Loading