Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth/aws: Make identity alias configurable #5247

Merged
merged 5 commits into from
Sep 26, 2018
Merged

auth/aws: Make identity alias configurable #5247

merged 5 commits into from
Sep 26, 2018

Conversation

joelthompson
Copy link
Contributor

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

@joelthompson
auth/aws: Make identity alias configurable
8a43624 
This is inspired by hashicorp#4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes hashicorp#4178
@joelthompson joelthompson mentioned this pull request Sep 2, 2018
Closed
@jefferai jefferai added this to the 0.11.1 milestone Sep 2, 2018
@chrishoffman chrishoffman modified the milestones: 0.11.1, 0.11.2 Sep 5, 2018
vishalnayak
vishalnayak reviewed Sep 13, 2018
View reviewed changes
builtin/credential/aws/backend_test.go Outdated Show resolved Hide resolved
builtin/credential/aws/path_config_identity_test.go Outdated Show resolved Hide resolved
builtin/credential/aws/path_login.go Outdated Show resolved Hide resolved
builtin/credential/aws/path_login.go Outdated Show resolved Hide resolved
builtin/credential/aws/path_login.go Show resolved Hide resolved
website/source/api/auth/aws/index.html.md Show resolved Hide resolved
builtin/credential/aws/path_config_identity.go Show resolved Hide resolved
@vishalnayak vishalnayak merged commit d12547c into hashicorp:master Sep 26, 2018
@joelthompson joelthompson deleted the aws_auth_configurable_aliases branch September 26, 2018 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishalnayak vishalnayak vishalnayak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.11.2
Development

Successfully merging this pull request may close these issues.
4 participants
@joelthompson @vishalnayak @jefferai @chrishoffman