feat: AWS configurable STS endpoint for assume role #7869
Conversation
Signed-off-by: Diana <[email protected]>
✅ Deploy Preview for kongdocs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
@windmgc Hi! I saw that you worked on the AWS STS endpoint URL feature for 3.8. I was wondering if you could look over the changes I made to docs to support this feature and just check that everything looks correct and I didn't miss anything? I wasn't sure if this feature needed a separate section in the AWS Secrets Manager page. Thanks! |
There was a problem hiding this comment.
Thank you @cloudjumpercat ! The content looks good to me overall, leaving a few comments
Actually, I have already raised another PR #7762 weeks ago, do you want to also include my part of that configuration example in the app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md?
| | `vaults.config.resurrect_ttl` | **Resurrect TTL** | Time (in seconds) for how long secrets will remain in use after they are expired ( using `config.ttl` as the stopping point). This is useful when a vault becomes unreachable, or when a secret is deleted from the vault and isn't replaced immediately. In both cases, gateway will keep trying to refresh the secret for `resurrect_ttl` seconds. After that, it will stop trying to refresh. Assigning a sufficiently high value to this configuration option is recommended to ensure a seamless transition in case there are unexpected issues with the vault. The default value for `resurrect_ttl` is 1^e8 seconds, which is about 3 years. | | ||
|
|
||
| {% if_version gte:3.8.x %} | ||
| | `vaults.config.aws_sts_endpoint_url` | **Global Config STS Endpoint** | A configurable STS endpoint for AWS Vault that is used as a global configuration. | |
There was a problem hiding this comment.
| | `vaults.config.aws_sts_endpoint_url` | **Global Config STS Endpoint** | A configurable STS endpoint for AWS Vault that is used as a global configuration. | |
There was a problem hiding this comment.
vaults.config.sts_endpoint_url should be the correct one, vault.config.aws_sts_endpoint_url does not exist in the vault entity schema, so it should be removed
| @@ -37,7 +37,8 @@ Before you enable the AWS IAM authentication, you must configure your AWS RDS da | |||
| {:.warning} | |||
| > **Warning:** You **can't** change the value of the environment variables you used to provide the AWS credential after booting {{site.base_gateway}}. Any changes are ignored. | |||
| {% if_version gte:3.8.x %} | |||
| - If you want to assume a role, make sure the original IAM role that Kong uses has the correct permission to assume the role of the target IAM role, and the target IAM role has the correct permission to connect to the database using IAM authentication. | |||
| - If you want to assume a role, make sure the original IAM role that Kong uses has the correct permission to assume the role of the target IAM role, and the target IAM role has the correct permission to connect to the database using IAM authentication. | |||
| - If you have users with non-public VPC networks and private VPC endpoints (without private DNS names enabled), you can configure a AWS Service Token Service (STS) globally with `vault_aws_sts_endpoint_url` or on a custom AWS Vault entity with `sts_endpoint_url`. | |||
There was a problem hiding this comment.
| - If you have users with non-public VPC networks and private VPC endpoints (without private DNS names enabled), you can configure a AWS Service Token Service (STS) globally with `vault_aws_sts_endpoint_url` or on a custom AWS Vault entity with `sts_endpoint_url`. | |
| - If you have users with non-public VPC networks and private VPC endpoints (without private DNS names enabled), you can configure an AWS Service Token Service (STS) endpoint globally with `vault_aws_sts_endpoint_url` or on a custom AWS Vault entity with `sts_endpoint_url`. |
|
Closing this PR in favor of #7762 (I didn't know there was already an open PR). I've added my relevant changes to that PR along with the feedback from Keery. |
Description
Added more info about the two new config options that allow you to configure an AWS STS endpoint URL.
DOCU-4058
Testing instructions
Preview link:
Checklist