diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go index c8ff02a266..7b063fa5f4 100644 --- a/builtin/credential/aws/cli.go +++ b/builtin/credential/aws/cli.go @@ -44,8 +44,14 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro } region := m["region"] - if region == "" { + switch region { + case "": + // The CLI has always defaulted to "us-east-1" if a region is not provided. region = awsutil.DefaultRegion + case "auto": + // Beginning in 1.10 we also accept the "auto" value, which uses the region detection logic in + // awsutil.GetRegion() to determine the region. That behavior is triggered when region = "". + region = "" } loginData, err := awsutil.GenerateLoginData(creds, headerValue, region, hlogger) @@ -73,8 +79,8 @@ func (h *CLIHandler) Help() string { Usage: vault login -method=aws [CONFIG K=V...] The AWS auth method allows users to authenticate with AWS IAM - credentials. The AWS IAM credentials may be specified in a number of ways, - listed in order of precedence below: + credentials. The AWS IAM credentials, and optionally the AWS region, may be + specified in a number of ways, listed in order of precedence below: 1. Explicitly via the command line (not recommended) @@ -112,6 +118,11 @@ Configuration: here as well. If specified here, it takes precedence over the value for -path. The default value is "aws". + region= + Explicit AWS region to reach out to for authentication request signing. A value + of "auto" enables auto-detection of region based on the precedence described above. + Defaults to "us-east-1" if not specified. + role= Name of the role to request a token against diff --git a/changelog/14051.txt b/changelog/14051.txt new file mode 100644 index 0000000000..00068e7d65 --- /dev/null +++ b/changelog/14051.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/aws: Enable region detection in the CLI by specifying the region as `auto` +``` diff --git a/website/content/docs/auth/aws.mdx b/website/content/docs/auth/aws.mdx index 1bcf8656be..1396473f73 100644 --- a/website/content/docs/auth/aws.mdx +++ b/website/content/docs/auth/aws.mdx @@ -658,8 +658,9 @@ The region used defaults to `us-east-1`, but you can specify a custom region lik $ vault login -method=aws region=us-west-2 role=dev-role-iam ``` -When using a custom region, be sure the designated region corresponds to that of the -STS endpoint you're using. +If the region is specified as `auto`, the Vault CLI will determine the region based +on standard AWS credentials precedence as described earlier. Whichever method is used, +be sure the designated region corresponds to that of the STS endpoint you're using. An example of how to generate the required request values for the `login` method can be found found in the [vault cli @@ -833,9 +834,9 @@ using VaultSharp.V1.SecretsEngines.AWS; namespace Examples { - public class AwsAuthExample + public class AwsAuthExample { - /// + /// /// Fetches a key-value secret (kv-v2) after authenticating to Vault via AWS IAM, /// one of two auth methods used to authenticate with AWS (the other is EC2 auth). /// @@ -856,12 +857,12 @@ namespace Examples var amazonSecurityTokenServiceConfig = new AmazonSecurityTokenServiceConfig(); // Initialize BasicAWS Credentials w/ an accessKey and secretKey - Amazon.Runtime.AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"), + Amazon.Runtime.AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"), secretKey: Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY")); - + // Construct the IAM Request and add necessary headers var iamRequest = GetCallerIdentityRequestMarshaller.Instance.Marshall(new GetCallerIdentityRequest()); - + iamRequest.Endpoint = new Uri(amazonSecurityTokenServiceConfig.DetermineServiceURL()); iamRequest.ResourcePath = "/"; @@ -883,9 +884,9 @@ namespace Examples // We can retrieve the secret from the VaultClient object Secret kv2Secret = null; kv2Secret = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: "/creds").Result; - + var password = kv2Secret.Data.Data["password"]; - + return password.ToString(); } }