Fixed integration tests, startup, config

docs/modules/ROOT/pages/includes/quarkus-vault.adoc

@@ -867,6 +867,102 @@ endif::add-copy-button-to-env-var[]
 |`auth/kubernetes`
 
 
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.role]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.role[quarkus.vault.authentication.aws-iam.role]`
+
+[.description]
+--
+AWS IAM authentication role that has been created in Vault to associate Vault policies, with ARN. This property is required when selecting the AWS IAM authentication type.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_ROLE+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_ROLE+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.region]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.region[quarkus.vault.authentication.aws-iam.region]`
+
+[.description]
+--
+The AWS region to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_REGION+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_REGION+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.sts-url]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.sts-url[quarkus.vault.authentication.aws-iam.sts-url]`
+
+[.description]
+--
+The URL of the AWS STS endpoint to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_STS_URL+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_STS_URL+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|`https://sts.amazonaws.com`
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.vault-server-id]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.vault-server-id[quarkus.vault.authentication.aws-iam.vault-server-id]`
+
+[.description]
+--
+The Vault server ID to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_VAULT_SERVER_ID+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_VAULT_SERVER_ID+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.aws-access-key]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.aws-access-key[quarkus.vault.authentication.aws-iam.aws-access-key]`
+
+[.description]
+--
+The AWS access key ID to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_ACCESS_KEY+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_ACCESS_KEY+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.aws-secret-key]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.aws-secret-key[quarkus.vault.authentication.aws-iam.aws-secret-key]`
+
+[.description]
+--
+The AWS secret access key to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_SECRET_KEY+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_SECRET_KEY+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
 h|[[quarkus-vault_quarkus.vault.tls-tls]]link:#quarkus-vault_quarkus.vault.tls-tls[TLS]
 
 h|Type

integration-tests/vault-agroal/pom.xml

@@ -39,6 +39,11 @@
             <artifactId>quarkus-jdbc-postgresql</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

integration-tests/vault-app/pom.xml

@@ -32,6 +32,11 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-smallrye-health</artifactId>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <!-- test dependencies -->
         <dependency>

integration-tests/vault/pom.xml

@@ -36,6 +36,7 @@
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>sts</artifactId>
+            <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>io.quarkiverse.vault</groupId>

integration-tests/vault/src/test/java/io/quarkus/vault/VaultAwsIamITCase.java

@@ -3,14 +3,20 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 
+import jakarta.inject.Inject;
+
 import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.logging.Logger;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledOnOs;
 import org.junit.jupiter.api.condition.OS;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.test.QuarkusUnitTest;
 import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.vault.runtime.client.VaultClient;
+import io.quarkus.vault.runtime.client.authmethod.VaultInternalAwsIamAuthMethod;
+import io.quarkus.vault.runtime.client.dto.auth.VaultAwsIamAuth;
 import io.quarkus.vault.test.VaultTestLifecycleManager;
 
 @DisabledOnOs(OS.WINDOWS) // https://github.com/quarkusio/quarkus/issues/3796
@@ -22,20 +28,37 @@ public class VaultAwsIamITCase {
             .withApplicationRoot((jar) -> jar
                     .addAsResource("application-vault-aws-iam.properties", "application.properties"));
 
+    private static final Logger log = Logger.getLogger(VaultAwsIamITCase.class);
+
     @ConfigProperty(name = "quarkus.vault.authentication.aws-iam.role")
     String role;
 
     @ConfigProperty(name = "quarkus.vault.authentication.aws-iam.aws-access-key")
     String key;
 
+    @Inject
+    VaultClient vaultClient;
+
+    @Inject
+    VaultInternalAwsIamAuthMethod vaultInternalAwsIamAuthMethod;
+
     @Test
-    public void testRole() {
+    public void testRoleConfig() {
         assertEquals("myawsiamrole", role);
     }
 
     @Test
-    public void testAwsAccessKey() {
+    public void testAwsAccessKeyConfig() {
         assertNotNull(key);
     }
 
+    @Test
+    public void testSuccessAuth() {
+        final VaultAwsIamAuth auth = vaultInternalAwsIamAuthMethod.login(vaultClient).await().indefinitely();
+
+        String awsIamClientToken = auth.auth.clientToken;
+        log.info("awsIamClientToken = " + awsIamClientToken);
+        assertNotNull(awsIamClientToken);
+    }
+
 }

integration-tests/vault/src/test/resources/application-vault-aws-iam.properties

@@ -8,13 +8,9 @@ quarkus.vault.authentication.aws-iam.vault-server-id=vault.example.com
 quarkus.vault.authentication.aws-iam.aws-access-key=${vault-test.aws-user.access-key}
 quarkus.vault.authentication.aws-iam.aws-secret-key=${vault-test.aws-user.secret-key}
 
-#quarkus.vault.tls.skip-verify=true
 quarkus.vault.tls.ca-cert=src/test/resources/vault-tls.crt
 
-#quarkus.vault.log-confidentiality-level=low
-#quarkus.vault.renew-grace-period=10
+quarkus.vault.log-confidentiality-level=low
+quarkus.vault.renew-grace-period=10
 
 quarkus.log.category."io.quarkus.vault".level=DEBUG
-
-#quarkus.log.level=DEBUG
-#quarkus.log.console.level=DEBUG

model/src/main/java/io/quarkus/vault/runtime/client/dto/auth/VaultAwsIamAuthAuthMetadata.java

@@ -4,5 +4,4 @@
 
 public class VaultAwsIamAuthAuthMetadata implements VaultModel {
 
-
 }

model/src/main/java/io/quarkus/vault/runtime/client/dto/auth/VaultAwsIamAuthBody.java

@@ -26,8 +26,7 @@ public VaultAwsIamAuthBody(
             final String requestMethod,
             final Base64String requestUrl,
             final Base64String requestBody,
-            final Base64String requestHeaders
-    ) {
+            final Base64String requestHeaders) {
         this.role = role;
         this.requestMethod = requestMethod;
         this.requestUrl = requestUrl;

runtime/src/main/java/io/quarkus/vault/runtime/VaultAuthManager.java

@@ -12,8 +12,6 @@
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Function;
 
-import io.quarkus.vault.runtime.client.authmethod.*;
-import io.quarkus.vault.runtime.client.dto.auth.*;
 import jakarta.inject.Singleton;
 
 import org.jboss.logging.Logger;
@@ -24,7 +22,9 @@
 import io.quarkus.vault.VaultException;
 import io.quarkus.vault.runtime.client.VaultClient;
 import io.quarkus.vault.runtime.client.VaultClientException;
+import io.quarkus.vault.runtime.client.authmethod.*;
 import io.quarkus.vault.runtime.client.backend.VaultInternalSystemBackend;
+import io.quarkus.vault.runtime.client.dto.auth.*;
 import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV1;
 import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV2;
 import io.quarkus.vault.runtime.config.VaultAuthenticationType;
@@ -166,9 +166,9 @@ private Uni<VaultToken> login(VaultClient vaultClient, VaultAuthenticationType t
         } else if (type == APPROLE) {
             String roleId = getConfig().authentication.appRole.roleId.get();
             authRequest = getSecretId(vaultClient)
-              .flatMap(secretId -> vaultInternalAppRoleAuthMethod.login(vaultClient, roleId, secretId))
-              .map(r -> r.auth);
-        } else if (type == AWS_IAM){
+                    .flatMap(secretId -> vaultInternalAppRoleAuthMethod.login(vaultClient, roleId, secretId))
+                    .map(r -> r.auth);
+        } else if (type == AWS_IAM) {
             authRequest = loginAwsIam(vaultClient);
         } else {
             throw new UnsupportedOperationException("unknown authType " + getConfig().getAuthenticationType());

runtime/src/main/java/io/quarkus/vault/runtime/client/authmethod/VaultInternalAwsIamAuthMethod.java

@@ -1,5 +1,16 @@
 package io.quarkus.vault.runtime.client.authmethod;
 
+import static java.util.stream.Collectors.joining;
+
+import java.io.ByteArrayInputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.Map;
+
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
+
 import io.quarkus.vault.runtime.Base64String;
 import io.quarkus.vault.runtime.StringHelper;
 import io.quarkus.vault.runtime.VaultConfigHolder;
@@ -9,8 +20,6 @@
 import io.quarkus.vault.runtime.client.dto.auth.VaultAwsIamAuthBody;
 import io.quarkus.vault.runtime.config.VaultAwsIamAuthenticationConfig;
 import io.smallrye.mutiny.Uni;
-import jakarta.inject.Inject;
-import jakarta.inject.Singleton;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
@@ -20,14 +29,6 @@
 import software.amazon.awssdk.http.SdkHttpMethod;
 import software.amazon.awssdk.regions.Region;
 
-import java.io.ByteArrayInputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.List;
-import java.util.Map;
-
-import static java.util.stream.Collectors.joining;
-
 @Singleton
 public class VaultInternalAwsIamAuthMethod extends VaultInternalBase {
 
@@ -57,32 +58,32 @@ public Uni<VaultAwsIamAuth> login(VaultClient vaultClient) {
     }
 
     private VaultAwsIamAuthBody buildVaultRequestBody(SdkHttpFullRequest signedRequest) {
-      String headersString = headersToJsonString(signedRequest.headers());
+        String headersString = headersToJsonString(signedRequest.headers());
 
-      return new VaultAwsIamAuthBody(
-                vaultConfigHolder.getVaultBootstrapConfig().authentication.awsIam.role,
+        return new VaultAwsIamAuthBody(
+                vaultConfigHolder.getVaultBootstrapConfig().authentication.awsIam.role
+                        .orElseThrow(() -> new IllegalArgumentException("Role is required for AWS IAM authentication")),
                 "POST",
                 Base64String.from(signedRequest.getUri().toString()),
                 Base64String.from(GET_CALLER_IDENTITY_REQUEST_BODY),
-                Base64String.from(headersString)
-        );
+                Base64String.from(headersString));
+    }
+
+    private static String headersToJsonString(Map<String, List<String>> headers) {
+        return "{"
+                + headers.entrySet().stream()
+                        .map(entry -> "\"" + entry.getKey() + "\":["
+                                + entry.getValue().stream().map(value -> "\"" + value + "\"").collect(joining(","))
+                                + "]")
+                        .collect(joining(","))
+                + "}";
     }
 
-  private static String headersToJsonString(Map<String, List<String>> headers) {
-    return "{"
-            + headers.entrySet().stream()
-            .map(entry -> "\"" + entry.getKey() + "\":["
-                    + entry.getValue().stream().map(value -> "\"" + value + "\"").collect(joining(","))
-                    + "]")
-            .collect(joining(","))
-            + "}";
-  }
-
-  private SdkHttpFullRequest signRequest(
+    private SdkHttpFullRequest signRequest(
             SdkHttpFullRequest getCallerIdentityRequest,
-            AwsCredentials awsCredentials
-    ) {
-        Region region = Region.of(vaultConfigHolder.getVaultBootstrapConfig().authentication.awsIam.region);
+            AwsCredentials awsCredentials) {
+        Region region = Region.of(vaultConfigHolder.getVaultBootstrapConfig().authentication.awsIam.region
+                .orElseThrow(() -> new IllegalArgumentException("Region is required for AWS IAM authentication")));
         Aws4SignerParams params = Aws4SignerParams.builder()
                 .awsCredentials(awsCredentials)
                 .signingName("sts")
@@ -110,12 +111,10 @@ private SdkHttpFullRequest buildGetCallerIdentityRequest() throws URISyntaxExcep
                 .appendHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8")
                 .appendHeader("Content-Length", String.valueOf(GET_CALLER_IDENTITY_REQUEST_BODY.length()))
                 .contentStreamProvider(() -> new ByteArrayInputStream(
-                        StringHelper.stringToBytes(GET_CALLER_IDENTITY_REQUEST_BODY)
-                ));
+                        StringHelper.stringToBytes(GET_CALLER_IDENTITY_REQUEST_BODY)));
 
         vaultConfigHolder.getVaultBootstrapConfig().authentication.awsIam.vaultServerId.ifPresent(
-                serverId -> builder.appendHeader("X-Vault-AWS-IAM-Server-ID", serverId)
-        );
+                serverId -> builder.appendHeader("X-Vault-AWS-IAM-Server-ID", serverId));
 
         return builder.build();
     }

runtime/src/main/java/io/quarkus/vault/runtime/config/VaultAuthenticationConfig.java

@@ -72,7 +72,7 @@ public boolean isUserpass() {
     }
 
     public boolean isAwsIam() {
-        return awsIam.stsUrl != null && awsIam.region != null && awsIam.role != null;
+        return awsIam.stsUrl != null && awsIam.region.isPresent() && awsIam.role.isPresent();
     }
 
 }

runtime/src/main/java/io/quarkus/vault/runtime/config/VaultAuthenticationType.java

@@ -34,7 +34,6 @@ public enum VaultAuthenticationType {
      */
     APPROLE,
 
-
     /**
      * AWS IAM vault authentication
      * <p>