From b0dbd0182e9458bf36b8236ea6731d44293a65b3 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Wed, 18 Aug 2021 12:45:20 -0400
Subject: [PATCH] Add support for additional awskms parameters (#1468)

This updates to the latest go-kms-wrapping tag to support these
parameters and documents them.
---
 go.mod                                        |  4 +--
 go.sum                                        |  9 ++++--
 sdk/go.mod                                    |  4 +--
 sdk/go.sum                                    | 10 ++++---
 .../content/docs/configuration/kms/awskms.mdx | 28 +++++++++++++++----
 5 files changed, 39 insertions(+), 16 deletions(-)

diff --git a/go.mod b/go.mod
index 6965399844..d8e4fbde37 100644
--- a/go.mod
+++ b/go.mod
@@ -27,12 +27,12 @@ require (
 	github.com/hashicorp/go-bexpr v0.1.9
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-hclog v0.16.2
-	github.com/hashicorp/go-kms-wrapping v0.6.3
+	github.com/hashicorp/go-kms-wrapping v0.6.5
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.0
 	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.1
-	github.com/hashicorp/go-secure-stdlib/configutil v0.1.1
+	github.com/hashicorp/go-secure-stdlib/configutil v0.1.2
 	github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1
 	github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.1
 	github.com/hashicorp/go-secure-stdlib/listenerutil v0.1.1
diff --git a/go.sum b/go.sum
index fa5e59a6ae..ba26a44c74 100644
--- a/go.sum
+++ b/go.sum
@@ -424,8 +424,9 @@ github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.1.0 h1:vN9wG1D6KG6YHRTWr8512cxGOVgTMEfgEdSj/hr8MPc=
 github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-kms-wrapping v0.6.3 h1:N5an2PAZNBp3MpFv6Rca8ol9qNZyO9v9sAkXgPYN8UU=
 github.com/hashicorp/go-kms-wrapping v0.6.3/go.mod h1:1DTKimjuT1g8KaS8rwYxF0kkjaFMXKtJif9KXxsrr+s=
+github.com/hashicorp/go-kms-wrapping v0.6.5 h1:iKcwiqpm2dvkMLymEyJQpbazwR70l7XINUPFduLdbAs=
+github.com/hashicorp/go-kms-wrapping v0.6.5/go.mod h1:9aLqFi2fqK1WMCyTe9bVjB0X6XxCxD+oINL1ovxpgJE=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
@@ -443,10 +444,12 @@ github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa
 github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2 h1:AEcLbDoaRC9JMmtZXsuCykztH53rvHsQFnwhoKtpNQM=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2/go.mod h1:QRJZ7siKie+SZJB9jLbfKrs0Gd0yPWMtbneg0iU1PrY=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1 h1:6KMBnfEv0/kLAz0O76sliN5mXbCDcLfs2kP7ssP7+DQ=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/configutil v0.1.1 h1:GeZcTbpivJpNPx5L9ciCH6M3Jw4i8uiiMAOYfxmyRQA=
-github.com/hashicorp/go-secure-stdlib/configutil v0.1.1/go.mod h1:5CQ5+MqV+qf46nta8piifri5TdcZ0sE/PCz9vgzeh0U=
+github.com/hashicorp/go-secure-stdlib/configutil v0.1.2 h1:ai0P91rxlyGWkYUH/zFr7mduW2Q+2FMrXawkLM8e7NU=
+github.com/hashicorp/go-secure-stdlib/configutil v0.1.2/go.mod h1:EN1DJMjv9y5e/uRAuP2WPibAox5KHEiq2BjZl00aNPQ=
 github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 h1:9um9R8i0+HbRHS9d64kdvWR0/LJvo12sIonvR9zr1+U=
 github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1/go.mod h1:6RoRTSMDK2H/rKh3P/JIsk1tK8aatKTt3JyvIopi3GQ=
 github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.1 h1:IJgULbAXuvWxzKFfu+Au1FUmHIJulS6N4F7Hkn+Kck0=
diff --git a/sdk/go.mod b/sdk/go.mod
index 373f444e3f..4334b4ebb4 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -3,8 +3,8 @@ module github.com/hashicorp/boundary/sdk
 go 1.15
 
 require (
-	github.com/hashicorp/go-kms-wrapping v0.6.3
-	github.com/hashicorp/go-secure-stdlib/configutil v0.1.1
+	github.com/hashicorp/go-kms-wrapping v0.6.5
+	github.com/hashicorp/go-secure-stdlib/configutil v0.1.2
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1
 	github.com/hashicorp/go-uuid v1.0.2
 	github.com/mr-tron/base58 v1.2.0
diff --git a/sdk/go.sum b/sdk/go.sum
index 5129d5ed6a..7c7536ae92 100644
--- a/sdk/go.sum
+++ b/sdk/go.sum
@@ -220,8 +220,8 @@ github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3
 github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-kms-wrapping v0.6.3 h1:N5an2PAZNBp3MpFv6Rca8ol9qNZyO9v9sAkXgPYN8UU=
-github.com/hashicorp/go-kms-wrapping v0.6.3/go.mod h1:1DTKimjuT1g8KaS8rwYxF0kkjaFMXKtJif9KXxsrr+s=
+github.com/hashicorp/go-kms-wrapping v0.6.5 h1:iKcwiqpm2dvkMLymEyJQpbazwR70l7XINUPFduLdbAs=
+github.com/hashicorp/go-kms-wrapping v0.6.5/go.mod h1:9aLqFi2fqK1WMCyTe9bVjB0X6XxCxD+oINL1ovxpgJE=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
@@ -235,8 +235,10 @@ github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER
 github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-secure-stdlib/configutil v0.1.1 h1:GeZcTbpivJpNPx5L9ciCH6M3Jw4i8uiiMAOYfxmyRQA=
-github.com/hashicorp/go-secure-stdlib/configutil v0.1.1/go.mod h1:5CQ5+MqV+qf46nta8piifri5TdcZ0sE/PCz9vgzeh0U=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2 h1:AEcLbDoaRC9JMmtZXsuCykztH53rvHsQFnwhoKtpNQM=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2/go.mod h1:QRJZ7siKie+SZJB9jLbfKrs0Gd0yPWMtbneg0iU1PrY=
+github.com/hashicorp/go-secure-stdlib/configutil v0.1.2 h1:ai0P91rxlyGWkYUH/zFr7mduW2Q+2FMrXawkLM8e7NU=
+github.com/hashicorp/go-secure-stdlib/configutil v0.1.2/go.mod h1:EN1DJMjv9y5e/uRAuP2WPibAox5KHEiq2BjZl00aNPQ=
 github.com/hashicorp/go-secure-stdlib/listenerutil v0.1.1 h1:HlTofNQN49DTzPCMVDppp+AVxMNVWaHUElpUYC0TRRE=
 github.com/hashicorp/go-secure-stdlib/listenerutil v0.1.1/go.mod h1:irE9ILwhE8VooWdhHhBy0qXzOMRlHKoWoMlr31mAFCE=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 h1:78ki3QBevHwYrVxnyVeaEz+7WtifHhauYF23es/0KlI=
diff --git a/website/content/docs/configuration/kms/awskms.mdx b/website/content/docs/configuration/kms/awskms.mdx
index 662a9c40bb..b10d26a827 100644
--- a/website/content/docs/configuration/kms/awskms.mdx
+++ b/website/content/docs/configuration/kms/awskms.mdx
@@ -38,20 +38,38 @@ These parameters apply to the `kms` stanza in the Boundary configuration file:
   `AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file,
   or from instance metadata.
 
-- `access_key` `(string: <required>)`: The AWS access key ID to use. May also be
+- `kms_key_id` `(string: <required>)`: The AWS KMS key ID to use for encryption
+  and decryption. May also be specified by the `AWSKMS_WRAPPER_KEY_ID`
+  environment variable.
+
+- `access_key` `(string: "")`: The AWS access key ID to use. May also be
   specified by the `AWS_ACCESS_KEY_ID` environment variable or as part of the
   AWS profile from the AWS CLI or instance profile.
 
 - `session_token` `(string: "")`: Specifies the AWS session token. This can
   also be provided via the environment variable `AWS_SESSION_TOKEN`.
 
-- `secret_key` `(string: <required>)`: The AWS secret access key to use. May
+- `secret_key` `(string: "")`: The AWS secret access key to use. May
   also be specified by the `AWS_SECRET_ACCESS_KEY` environment variable or as
   part of the AWS profile from the AWS CLI or instance profile.
 
-- `kms_key_id` `(string: <required>)`: The AWS KMS key ID to use for encryption
-  and decryption. May also be specified by the `AWSKMS_WRAPPER_KEY_ID`
-  environment variable.
+- `shared_creds_filename` `(string: "")`: (Boundary 0.5.1+) If set, the file
+  name to read as a shared credentials file.
+
+- `shared_creds_profile` `(string: "")`: (Boundary 0.5.1+) If set, the
+  profile to use from the shared credentials file. If not set, will use the
+  `AWS_PROFILE` env var, or if that is not set, `"default"`.
+
+- `role_arn` `(string: "")`: (Boundary 0.5.1+) If this and
+  `web_identity_token_file` are set, the role ARN to use when using a web
+  identity role provider with STS.
+
+- `web_identity_token_file` `(string: "")`: (Boundary 0.5.1+) If this and
+  `role_arn` are set, the token file to use when using a web identity role
+  provider with STS.
+
+- `role_session_name` `(string: "")`: (Boundary 0.5.1+) If using the web
+  identity role provider, the role session to use.
 
 - `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS
   requests. May also be specified by the `AWS_KMS_ENDPOINT` environment