Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying role-default TTLs in AWS secret engine #5138

Merged
merged 7 commits into from
Oct 2, 2018
Merged

Allow specifying role-default TTLs in AWS secret engine #5138

merged 7 commits into from
Oct 2, 2018

Conversation

joelthompson
Copy link
Contributor

@joelthompson joelthompson commented Aug 19, 2018
edited
Loading

As requested in #387 (comment)

I'm not happy with the lack of tests, I want to refactor the tests a bit to make it easier to more comprehensively test this, still thinking about it, but wanted to open this early to get some feedback.

  • Add tests
  • Update documentation

cc @Xopherus

@joelthompson joelthompson mentioned this pull request Aug 19, 2018
Closed
@joelthompson
Copy link
Contributor Author

Turns out the test was easier to write than I imagined :)

@joelthompson joelthompson changed the title WIP: Allow specifying role-default TTLs in AWS secret engine Allow specifying role-default TTLs in AWS secret engine Aug 20, 2018
Xopherus
Xopherus previously approved these changes Aug 20, 2018
View reviewed changes
Copy link

@Xopherus Xopherus left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @joelthompson! Only question I have is whether or not you're setting the 3600s / 1h default in code or not. The only reference I see is in the test, so I assume you're just letting AWS handle the default?

@jefferai
Copy link
Member

Hi @joelthompson ,

Is this meant specifically for STS? I assume so since for IAM there's already an option, plus there's mount-tuning and system defaults. If so, I think it needs to be renamed to be clear, like, default_sts_ttl or so -- or if it's going to apply to all, simply sts_ttl.

@joelthompson
Copy link
Contributor Author

@Xopherus, it retains the default in the same place in code: https://github.com/hashicorp/vault/pull/5138/files#diff-44c15850f659981333c0677651573294L32

@jefferai, yes, this is only for STS. Will update the parameter name.

jefferai
jefferai reviewed Aug 21, 2018
View reviewed changes
builtin/logical/aws/path_roles.go Outdated
@@ -389,6 +406,7 @@ func (r *awsRoleEntry) toResponseData() map[string]interface{} {
"policy_arns": r.PolicyArns,
"role_arns": r.RoleArns,
"policy_document": r.PolicyDocument,
"default_sts_ttl": r.DefaultSTSTTL / time.Second,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a slight preference for the int64(r.DefaultSTSTTL.Seconds()) flow as that paradigm makes tests nicer -- when analyzing a returned map you get int64 instead of a time.Duration that is actually an integer number of seconds even though time.Duration represents nanoseconds.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, don't have an opinion either way, was just pattern matching off other places in the code. Done.

jefferai
jefferai previously approved these changes Aug 21, 2018
View reviewed changes
@joelthompson joelthompson mentioned this pull request Aug 28, 2018
Merged
@chrishoffman chrishoffman added this to the 0.11.1 milestone Aug 28, 2018
@jefferai jefferai modified the milestones: 0.11.1, 0.11.2 Sep 5, 2018
@andrejvanderzee
Copy link
Contributor

@jefferai Will this be merged soonish? We are interested implementing #5286, but it looks like half of my feature request is already implemented by this PR. After this PR is merged, I think it would make sense to implement a role-based sts_max_ttl too.

@joelthompson
Merge remote-tracking branch 'origin/master' into aws_secret_role_def…
f4d2e7f 
…ault_ttl
@joelthompson
Fix broken tests
fb55e16 
The merge of hashicorp#5383 broke the tests due to some changes in the test style
that didn't actually cause a git merge conflict. This updates the tests
to the new style.
vishalnayak
vishalnayak reviewed Sep 26, 2018
View reviewed changes
builtin/logical/aws/path_roles.go
@@ -61,6 +62,11 @@ will be passed in as the Policy parameter to the AssumeRole or
GetFederationToken API call, acting as a filter on permissions available.`,
},

"default_sts_ttl": &framework.FieldSchema{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of naming this just sts_ttl? A value on the role will be used unless specified otherwise. The supplied value can be lesser but not greater and this can be documented.

Copy link
Contributor

@andrejvanderzee andrejvanderzee Sep 26, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most plugins just call it ttl, so sts_ttl is a better fit I would say. The only exception is databases as far as I can see.

@chrishoffman chrishoffman merged commit 7e610e6 into hashicorp:master Oct 2, 2018
@joelthompson joelthompson deleted the aws_secret_role_default_ttl branch October 4, 2018 03:39
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrejvanderzee andrejvanderzee andrejvanderzee left review comments

@vishalnayak vishalnayak vishalnayak left review comments

@jefferai jefferai jefferai left review comments

@Xopherus Xopherus Xopherus left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.11.2
Development

Successfully merging this pull request may close these issues.
6 participants
@joelthompson @jefferai @andrejvanderzee @vishalnayak @Xopherus @chrishoffman