Open mtougeron opened 7 years ago
If there is a way to do this validation locally via the Go SDK this seems like an easy fix to implement. I'd be more hesitant to add it in if it must round-trip to AWS, partially because then it imposes ordering on setting up roles vs. credentials.
From my quick scan of the Go SDK it doesn't look there is a way but I'm not super familiar with it.
@joelthompson thoughts?
@jefferai -- sorry, somehow missed this when you first commented.
I think it makes sense to do some basic syntactic checking as part of #4229 -- once the parameters are no longer overloaded, it will make it much easier to do the syntactic checking. Things like, "does it look like a valid ARN?" and "is the policy valid JSON?" I'm sort of split on whether it makes sense to round trip to AWS to validate the ARNs. On the one hand, as you say, it imposes ordering on setting up roles vs. credentials, and it also makes Vault now depend on AWS and so introduces a failure point (e.g., if there were a network issue, or eventual consistency slowness, or AWS API throttling). On the other hand, it gives users earlier feedback that a role won't work before it does. Maybe attempt to validate the ARNs but return a warning if the validation fails for some reason (but still let the role creation through)?
That could work.
When you create a new
role
for theaws
secret backend, using thearn
parameter, it doesn't validate that it is a valid format.Example attaching a
role
instead of a policyExample of a totally invalid
arn
Example attaching a non-existing
policy
(though I could understand how this example might be a valid use-case so that someone could create the policy later)But it should probably at least validate that it is a valid
arn
for apolicy
document.