Add logging during awskms auto-unseal#9794
Merged
Merged
Conversation
Adds debug and warn logging around AWS credential chain generation, specifically to help users debugging auto-unseal problems on AWS, by logging which role is being used in the case of a webidentity token. Adds a deferred call to flush the log output as well, to ensure logs are output in the event of an initialization failure.
calvn
reviewed
Aug 31, 2020
| SecretAccessKey: c.SecretKey, | ||
| SessionToken: c.SessionToken, | ||
| }}) | ||
| c.Logger.Debug("added static credential provider", "AccessKey", c.AccessKey) |
Contributor
There was a problem hiding this comment.
c.Logger could potentially be nil if none is passed into CredentialsConfig so these calls would panic. Let's wrap logger calls with a nil check.
calvn
reviewed
Sep 1, 2020
| } | ||
|
|
||
| creds, err := RetrieveCreds(m["aws_access_key_id"], m["aws_secret_access_key"], m["aws_security_token"]) | ||
| creds, err := RetrieveCreds(m["aws_access_key_id"], m["aws_secret_access_key"], m["aws_security_token"], hclog.Default()) |
Contributor
There was a problem hiding this comment.
This does not derive any of the logging properties from the main command, so it might result in different format, log level, etc.
Member
Author
There was a problem hiding this comment.
How would we get the logging properties from the main command here? I haven't found a way to do that.
Contributor
There was a problem hiding this comment.
The log would be from the client (result from a vault login command) for this particular case so it might be fine, though hclog.Default() logs up to Info only, so it would skip any Debug output.
Member
Author
There was a problem hiding this comment.
I'm not seeing anywhere else in the vault login command that verbosity levels are set, so in 2271d6c I added a log_level option to the aws cli login command, and used that to configure the logger passed to RetrieveCreds(). Or maybe it's preferable to just pass a null logger here?
Used to setup the logger for use in GenerateCredentialChain()
calvn
approved these changes
Sep 28, 2020
calvn
reviewed
Sep 28, 2020
| github.com/hashicorp/go-gcp-common v0.6.0 | ||
| github.com/hashicorp/go-hclog v0.14.1 | ||
| github.com/hashicorp/go-kms-wrapping v0.5.12 | ||
| github.com/hashicorp/go-kms-wrapping v0.5.15 |
Contributor
There was a problem hiding this comment.
We should be using v0.5.16 right?
pull Bot
pushed a commit
to NOUIY/vault
that referenced
this pull request
Oct 2, 2025
* adds error handling for control groups to api service as post request middleware * updates kv list route to use api service * updates kv config route to use api service * updates kv secrets overview route to use api service * updates kv secret details route to use api service * adds kv form * updates kv metadata details route to use api service * updates kv paths and version history routes to use api service * refactors kv-data-fields component to form component * updates kv secret create route to use api service * updates kv secret edit route to use api service * updates kv metadata edit route to use api service * adds waitFor to async middleware in api service to attempt to fix race conditions in tests * adds kvMetadata path to capabilities path map * fixes kv list item delete test selector * removes kv models, adapters and serializers * removes store from kv addon * removes ember data related test helpers from kv-run-commands * updates comments that referred to kv ember data models * updates kv-page-header tests * updates model-form-fields test to use totp-key model rather than kv/data * removes another reference to kv/data model from path-help test * fixes kv v2 workflow create tests * fixes issue returning metadata for secret when latest version is deleted * decodes uri in path returned by api service parseError method * fixes kv v2 edge cases tests * fixes issue deleteing control group token in api service * decodes url for control group token lookup in api service * fixes version history linked block link * defaults cas to 0 when creating new secret * removes log * adds ember-template-lint to kv engine * more test fixes * updates kv-suggestion-input component to use api service * removes kv metadata model reference from quick actions card * fixes sync destination sync secrets tests * updates kv helpers from classic format * updates kv helpers imports * reverts to use secret.version in details edit route * fixes isDeleted import in kv version history test * adds waitFor to api service parseError method * reverts removing async from addQueryParams api method * attempts to fix test flakiness requesting custom metadata from data endpoint * more tweaks to requesting metadata from data * adds waitFor to requestData method Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds debug and warn logging around AWS credential chain generation, specifically to help users understand why auto-unseal isn't working on AWS, by logging which role is being used in the case of a webidentity token.
Also in the case of webidentity, this tests retrieving credentials, and logs a warning if it has trouble, in which case it falls through to using creds from the instance metadata, which may still fail, but with a warning logged at least users can tell why the webidentity auth failed.
Depends on hashicorp/go-kms-wrapping#22
Example logging with level=trace when auto-unseal fails:
before:
after: