quarkiverse · yuriytkach · Jun 28, 2023 · Jun 28, 2023 · Jun 28, 2023 · Jun 29, 2023
@@ -40,6 +40,7 @@
 import io.quarkus.vault.runtime.client.PrivateVertxVaultClient;
 import io.quarkus.vault.runtime.client.SharedVertxVaultClient;
 import io.quarkus.vault.runtime.client.authmethod.VaultInternalAppRoleAuthMethod;
+import io.quarkus.vault.runtime.client.authmethod.VaultInternalAwsIamAuthMethod;
 import io.quarkus.vault.runtime.client.authmethod.VaultInternalKubernetesAuthMethod;
 import io.quarkus.vault.runtime.client.authmethod.VaultInternalTokenAuthMethod;
 import io.quarkus.vault.runtime.client.authmethod.VaultInternalUserpassAuthMethod;
@@ -119,6 +120,7 @@ AdditionalBeanBuildItem registerAdditionalBeans() {
                 .addBeanClass(VaultInternalUserpassAuthMethod.class)
                 .addBeanClass(VaultInternalDynamicCredentialsSecretEngine.class)
                 .addBeanClass(VaultInternalPKISecretEngine.class)
+                .addBeanClass(VaultInternalAwsIamAuthMethod.class)
                 .build();
     }
 

@@ -867,6 +867,102 @@ endif::add-copy-button-to-env-var[]
 |`auth/kubernetes`
 
 
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.role]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.role[quarkus.vault.authentication.aws-iam.role]`
+
+[.description]
+--
+AWS IAM authentication role that has been created in Vault to associate Vault policies, with ARN. This property is required when selecting the AWS IAM authentication type.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_ROLE+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_ROLE+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.region]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.region[quarkus.vault.authentication.aws-iam.region]`
+
+[.description]
+--
+The AWS region to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_REGION+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_REGION+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.sts-url]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.sts-url[quarkus.vault.authentication.aws-iam.sts-url]`
+
+[.description]
+--
+The URL of the AWS STS endpoint to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_STS_URL+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_STS_URL+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|`https://sts.amazonaws.com`
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.vault-server-id]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.vault-server-id[quarkus.vault.authentication.aws-iam.vault-server-id]`
+
+[.description]
+--
+The Vault server ID to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_VAULT_SERVER_ID+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_VAULT_SERVER_ID+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.aws-access-key]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.aws-access-key[quarkus.vault.authentication.aws-iam.aws-access-key]`
+
+[.description]
+--
+The AWS access key ID to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_ACCESS_KEY+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_ACCESS_KEY+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.aws-secret-key]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.aws-secret-key[quarkus.vault.authentication.aws-iam.aws-secret-key]`
+
+[.description]
+--
+The AWS secret access key to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_SECRET_KEY+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_SECRET_KEY+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
 h|[[quarkus-vault_quarkus.vault.tls-tls]]link:#quarkus-vault_quarkus.vault.tls-tls[TLS]
 
 h|Type

@@ -39,6 +39,11 @@
             <artifactId>quarkus-jdbc-postgresql</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

@@ -33,6 +33,23 @@
             <artifactId>quarkus-smallrye-health</artifactId>
         </dependency>
 
+        <!--
+            Temporary workaround for native tests to work.
+            Since aws auth is not used by application, the dependency on awssdk should be omitted.
+            And normal tests work fine if this dependency is only in test scope (required by vault test resource).
+            However, native tests fail if this dependency is not in compile scope.
+        -->
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>apache-client</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
         <!-- test dependencies -->
         <dependency>
             <groupId>io.quarkus</groupId>

@@ -33,6 +33,11 @@
             <groupId>jakarta.servlet</groupId>
             <artifactId>jakarta.servlet-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>io.quarkiverse.vault</groupId>
             <artifactId>quarkus-vault-deployment</artifactId>

@@ -0,0 +1,64 @@
+package io.quarkus.vault;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+import jakarta.inject.Inject;
+
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.logging.Logger;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledOnOs;
+import org.junit.jupiter.api.condition.OS;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.vault.runtime.client.VaultClient;
+import io.quarkus.vault.runtime.client.authmethod.VaultInternalAwsIamAuthMethod;
+import io.quarkus.vault.runtime.client.dto.auth.VaultAwsIamAuth;
+import io.quarkus.vault.test.VaultTestLifecycleManager;
+
+@DisabledOnOs(OS.WINDOWS) // https://github.com/quarkusio/quarkus/issues/3796
+@QuarkusTestResource(VaultTestLifecycleManager.class)
+public class VaultAwsIamITCase {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource("application-vault-aws-iam.properties", "application.properties"));
+
+    private static final Logger log = Logger.getLogger(VaultAwsIamITCase.class);
+
+    @ConfigProperty(name = "quarkus.vault.authentication.aws-iam.role")
+    String role;
+
+    @ConfigProperty(name = "quarkus.vault.authentication.aws-iam.aws-access-key")
+    String key;
+
+    @Inject
+    VaultClient vaultClient;
+
+    @Inject
+    VaultInternalAwsIamAuthMethod vaultInternalAwsIamAuthMethod;
+
+    @Test
+    public void testRoleConfig() {
+        assertEquals("myawsiamrole", role);
+    }
+
+    @Test
+    public void testAwsAccessKeyConfig() {
+        assertNotNull(key);
+    }
+
+    @Test
+    public void testSuccessAuth() {
+        final VaultAwsIamAuth auth = vaultInternalAwsIamAuthMethod.login(vaultClient).await().indefinitely();
+
+        String awsIamClientToken = auth.auth.clientToken;
+        log.info("awsIamClientToken = " + awsIamClientToken);
+        assertNotNull(awsIamClientToken);
+    }
+
+}
@@ -0,0 +1,16 @@
+quarkus.vault.url=https://localhost:8200
+
+# vault-test.client-token-wrapping-token provided by VaultTestLifecycleManager
+quarkus.vault.authentication.aws-iam.role=myawsiamrole
+quarkus.vault.authentication.aws-iam.region=us-east-1
+quarkus.vault.authentication.aws-iam.sts-url=http://mylocalstack:4566
+quarkus.vault.authentication.aws-iam.vault-server-id=vault.example.com
+quarkus.vault.authentication.aws-iam.aws-access-key=${vault-test.aws-user.access-key}
+quarkus.vault.authentication.aws-iam.aws-secret-key=${vault-test.aws-user.secret-key}
+
+quarkus.vault.tls.ca-cert=src/test/resources/vault-tls.crt
+
+quarkus.vault.log-confidentiality-level=low
+quarkus.vault.renew-grace-period=10
+
+quarkus.log.category."io.quarkus.vault".level=DEBUG
@@ -0,0 +1,45 @@
+package io.quarkus.vault.runtime.client.dto.auth;
+
+import io.quarkus.vault.runtime.client.dto.AbstractVaultDTO;
+
+/*
+
+{
+  "request_id": "9e923c23-3a45-ff0f-a3ea-5fffd94f1e2f",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "s.aWvAbfqWpoqPpbTebdwDEVuu",
+    "accessor": "abbJ8vD3JghuH37Up5d0SLYM",
+    "policies": [
+      "default",
+      "mypolicy"
+    ],
+    "token_policies": [
+      "default",
+      "mypolicy"
+    ],
+    "metadata": {
+      "role": "myapprole",
+      "service_account_name": "default",
+      "service_account_namespace": "vaultapp",
+      "service_account_secret_name": "default-token-qj4b5",
+      "service_account_uid": "27c26105-92d3-11e9-9202-025000000001"
+    },
+    "lease_duration": 7200,
+    "renewable": true,
+    "entity_id": "62f850bb-4835-a9ea-471b-006a92017128",
+    "token_type": "service",
+    "orphan": true
+  }
+}
+
+
+*/
+public class VaultAwsIamAuth extends AbstractVaultDTO<Object, VaultAwsIamAuthAuth> {
+
+}
@@ -0,0 +1,4 @@
+package io.quarkus.vault.runtime.client.dto.auth;
+
+public class VaultAwsIamAuthAuth extends AbstractVaultAuthAuth<VaultAwsIamAuthAuthMetadata> {
+}
@@ -0,0 +1,7 @@
+package io.quarkus.vault.runtime.client.dto.auth;
+
+import io.quarkus.vault.runtime.client.dto.VaultModel;
+
+public class VaultAwsIamAuthAuthMetadata implements VaultModel {
+
+}
@@ -0,0 +1,36 @@
+package io.quarkus.vault.runtime.client.dto.auth;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import io.quarkus.vault.runtime.Base64String;
+import io.quarkus.vault.runtime.client.dto.VaultModel;
+
+public class VaultAwsIamAuthBody implements VaultModel {
+
+    public String role;
+
+    @JsonProperty("iam_http_request_method")
+    public String requestMethod;
+
+    @JsonProperty("iam_request_url")
+    public Base64String requestUrl;
+
+    @JsonProperty("iam_request_body")
+    public Base64String requestBody;
+
+    @JsonProperty("iam_request_headers")
+    public Base64String requestHeaders;
+
+    public VaultAwsIamAuthBody(
+            final String role,
+            final String requestMethod,
+            final Base64String requestUrl,
+            final Base64String requestBody,
+            final Base64String requestHeaders) {
+        this.role = role;
+        this.requestMethod = requestMethod;
+        this.requestUrl = requestUrl;
+        this.requestBody = requestBody;
+        this.requestHeaders = requestHeaders;
+    }
+}
@@ -46,6 +46,13 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>software.amazon.awssdk</groupId>
+        <artifactId>bom</artifactId>
+        <version>2.20.94</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.assertj</groupId>
         <artifactId>assertj-core</artifactId>

@@ -49,6 +49,12 @@
             <optional>true</optional>
         </dependency>
 
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-junit5</artifactId>