Fixed integration tests

docs/modules/ROOT/pages/includes/attributes.adoc

@@ -1,4 +1,4 @@
-:quarkus-version: 3.0.3.Final
+:quarkus-version: 3.1.3.Final
 :quarkus-vault-version: 3.0.0
 :maven-version: 3.8.1+
 

docs/modules/ROOT/pages/includes/quarkus-vault.adoc

@@ -14,7 +14,8 @@ a|icon:lock[title=Fixed at build time] [[quarkus-vault_quarkus.vault.devservices
 
 [.description]
 --
-If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present. 
+If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.
+
 When DevServices is enabled Quarkus will attempt to automatically configure and start a vault instance when running in Dev or Test mode and when Docker is running.
 
 ifdef::add-copy-button-to-env-var[]
@@ -47,8 +48,10 @@ a|icon:lock[title=Fixed at build time] [[quarkus-vault_quarkus.vault.devservices
 
 [.description]
 --
-Indicates if the Vault instance managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Vault starts a new container. 
-The discovery uses the `quarkus-dev-service-vault` label. The value is configured using the `service-name` property. 
+Indicates if the Vault instance managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Vault starts a new container.
+
+The discovery uses the `quarkus-dev-service-vault` label. The value is configured using the `service-name` property.
+
 Container sharing is only used in dev mode.
 
 ifdef::add-copy-button-to-env-var[]
@@ -65,7 +68,8 @@ a|icon:lock[title=Fixed at build time] [[quarkus-vault_quarkus.vault.devservices
 
 [.description]
 --
-The value of the `quarkus-dev-service-vault` label attached to the started container. This property is used when `shared` is set to `true`. In this case, before starting a container, Dev Services for Vault looks for a container with the `quarkus-dev-service-vault` label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise it starts a new container with the `quarkus-dev-service-vault` label set to the specified value. 
+The value of the `quarkus-dev-service-vault` label attached to the started container. This property is used when `shared` is set to `true`. In this case, before starting a container, Dev Services for Vault looks for a container with the `quarkus-dev-service-vault` label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise it starts a new container with the `quarkus-dev-service-vault` label set to the specified value.
+
 This property is used when you need multiple shared Vault instances.
 
 ifdef::add-copy-button-to-env-var[]
@@ -82,7 +86,8 @@ a|icon:lock[title=Fixed at build time] [[quarkus-vault_quarkus.vault.devservices
 
 [.description]
 --
-Optional fixed port the dev service will listen to. 
+Optional fixed port the dev service will listen to.
+
 If not defined, the port will be chosen randomly.
 
 ifdef::add-copy-button-to-env-var[]
@@ -147,8 +152,10 @@ a| [[quarkus-vault_quarkus.vault.config-ordinal]]`link:#quarkus-vault_quarkus.va
 
 [.description]
 --
-Microprofile Config ordinal. 
-This is provided as an alternative to the `config_ordinal` property defined by the specification, to make it easier and more natural for applications to override the default ordinal. 
+Microprofile Config ordinal.
+
+This is provided as an alternative to the `config_ordinal` property defined by the specification, to make it easier and more natural for applications to override the default ordinal.
+
 The default value is higher than the file system or jar ordinals, but lower than env vars.
 
 ifdef::add-copy-button-to-env-var[]
@@ -395,7 +402,8 @@ a| [[quarkus-vault_quarkus.vault.non-proxy-hosts]]`link:#quarkus-vault_quarkus.v
 
 [.description]
 --
-List of remote hosts that are not proxied when the client is configured to use a proxy. This list serves the same purpose as the JVM `nonProxyHosts` configuration. 
+List of remote hosts that are not proxied when the client is configured to use a proxy. This list serves the same purpose as the JVM `nonProxyHosts` configuration.
+
 Entries can use the _++*++_ wildcard character for pattern matching, e.g _++*++.example.com_ matches _www.example.com_.
 
 ifdef::add-copy-button-to-env-var[]
@@ -671,8 +679,10 @@ a| [[quarkus-vault_quarkus.vault.authentication.client-token-wrapping-token]]`li
 
 [.description]
 --
-Client token wrapped in a wrapping token, such as what is returned by: 
-vault token create -wrap-ttl=60s -policy=myapp 
+Client token wrapped in a wrapping token, such as what is returned by:
+
+vault token create -wrap-ttl=60s -policy=myapp
+
 client-token and client-token-wrapping-token are exclusive. Lease renewal does not apply.
 
 ifdef::add-copy-button-to-env-var[]
@@ -721,8 +731,10 @@ a| [[quarkus-vault_quarkus.vault.authentication.app-role.secret-id-wrapping-toke
 
 [.description]
 --
-Wrapping token containing a Secret Id, obtained from: 
-vault write -wrap-ttl=60s -f auth/approle/role/myapp/secret-id 
+Wrapping token containing a Secret Id, obtained from:
+
+vault write -wrap-ttl=60s -f auth/approle/role/myapp/secret-id
+
 secret-id and secret-id-wrapping-token are exclusive
 
 ifdef::add-copy-button-to-env-var[]
@@ -787,10 +799,14 @@ a| [[quarkus-vault_quarkus.vault.authentication.userpass.password-wrapping-token
 
 [.description]
 --
-Wrapping token containing a Password, obtained from: 
-vault kv get -wrap-ttl=60s secret/ 
-The key has to be 'password', meaning the password has initially been provisioned with: 
-vault kv put secret/ password= 
+Wrapping token containing a Password, obtained from:
+
+vault kv get -wrap-ttl=60s secret/
+
+The key has to be 'password', meaning the password has initially been provisioned with:
+
+vault kv put secret/ password=
+
 password and password-wrapping-token are exclusive
 
 ifdef::add-copy-button-to-env-var[]
@@ -851,6 +867,102 @@ endif::add-copy-button-to-env-var[]
 |`auth/kubernetes`
 
 
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.role]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.role[quarkus.vault.authentication.aws-iam.role]`
+
+[.description]
+--
+AWS IAM authentication role that has been created in Vault to associate Vault policies, with ARN. This property is required when selecting the AWS IAM authentication type.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_ROLE+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_ROLE+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.region]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.region[quarkus.vault.authentication.aws-iam.region]`
+
+[.description]
+--
+The AWS region to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_REGION+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_REGION+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.sts-url]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.sts-url[quarkus.vault.authentication.aws-iam.sts-url]`
+
+[.description]
+--
+The URL of the AWS STS endpoint to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_STS_URL+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_STS_URL+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|`https://sts.amazonaws.com`
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.vault-server-id]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.vault-server-id[quarkus.vault.authentication.aws-iam.vault-server-id]`
+
+[.description]
+--
+The Vault server ID to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_VAULT_SERVER_ID+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_VAULT_SERVER_ID+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.aws-access-key]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.aws-access-key[quarkus.vault.authentication.aws-iam.aws-access-key]`
+
+[.description]
+--
+The AWS access key ID to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_ACCESS_KEY+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_ACCESS_KEY+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-vault_quarkus.vault.authentication.aws-iam.aws-secret-key]]`link:#quarkus-vault_quarkus.vault.authentication.aws-iam.aws-secret-key[quarkus.vault.authentication.aws-iam.aws-secret-key]`
+
+[.description]
+--
+The AWS secret access key to use for AWS IAM authentication.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_SECRET_KEY+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_VAULT_AUTHENTICATION_AWS_IAM_AWS_SECRET_KEY+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
 h|[[quarkus-vault_quarkus.vault.tls-tls]]link:#quarkus-vault_quarkus.vault.tls-tls[TLS]
 
 h|Type
@@ -860,7 +972,8 @@ a| [[quarkus-vault_quarkus.vault.tls.skip-verify]]`link:#quarkus-vault_quarkus.v
 
 [.description]
 --
-Allows to bypass certificate validation on TLS communications. 
+Allows to bypass certificate validation on TLS communications.
+
 If true this will allow TLS communications with Vault, without checking the validity of the certificate presented by Vault. This is discouraged in production because it allows man in the middle type of attacks.
 
 ifdef::add-copy-button-to-env-var[]
@@ -877,7 +990,8 @@ a| [[quarkus-vault_quarkus.vault.tls.ca-cert]]`link:#quarkus-vault_quarkus.vault
 
 [.description]
 --
-Certificate bundle used to validate TLS communications with Vault. 
+Certificate bundle used to validate TLS communications with Vault.
+
 The path to a pem bundle file, if TLS is required, and trusted certificates are not set through javax.net.ssl.trustStore system property.
 
 ifdef::add-copy-button-to-env-var[]

integration-tests/vault-agroal/pom.xml

@@ -39,6 +39,11 @@
             <artifactId>quarkus-jdbc-postgresql</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

integration-tests/vault-app/pom.xml

@@ -35,6 +35,7 @@
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>sts</artifactId>
+            <scope>test</scope>
         </dependency>
 
         <!-- test dependencies -->

integration-tests/vault/pom.xml

@@ -36,6 +36,7 @@
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>sts</artifactId>
+            <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>io.quarkiverse.vault</groupId>

integration-tests/vault/src/test/java/io/quarkus/vault/VaultAwsIamITCase.java

@@ -3,14 +3,20 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 
+import jakarta.inject.Inject;
+
 import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.logging.Logger;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledOnOs;
 import org.junit.jupiter.api.condition.OS;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
 import io.quarkus.test.QuarkusUnitTest;
 import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.vault.runtime.client.VaultClient;
+import io.quarkus.vault.runtime.client.authmethod.VaultInternalAwsIamAuthMethod;
+import io.quarkus.vault.runtime.client.dto.auth.VaultAwsIamAuth;
 import io.quarkus.vault.test.VaultTestLifecycleManager;
 
 @DisabledOnOs(OS.WINDOWS) // https://github.com/quarkusio/quarkus/issues/3796
@@ -22,20 +28,37 @@ public class VaultAwsIamITCase {
             .withApplicationRoot((jar) -> jar
                     .addAsResource("application-vault-aws-iam.properties", "application.properties"));
 
+    private static final Logger log = Logger.getLogger(VaultAwsIamITCase.class);
+
     @ConfigProperty(name = "quarkus.vault.authentication.aws-iam.role")
     String role;
 
     @ConfigProperty(name = "quarkus.vault.authentication.aws-iam.aws-access-key")
     String key;
 
+    @Inject
+    VaultClient vaultClient;
+
+    @Inject
+    VaultInternalAwsIamAuthMethod vaultInternalAwsIamAuthMethod;
+
     @Test
-    public void testRole() {
+    public void testRoleConfig() {
         assertEquals("myawsiamrole", role);
     }
 
     @Test
-    public void testAwsAccessKey() {
+    public void testAwsAccessKeyConfig() {
         assertNotNull(key);
     }
 
+    @Test
+    public void testSuccessAuth() {
+        final VaultAwsIamAuth auth = vaultInternalAwsIamAuthMethod.login(vaultClient).await().indefinitely();
+
+        String awsIamClientToken = auth.auth.clientToken;
+        log.info("awsIamClientToken = " + awsIamClientToken);
+        assertNotNull(awsIamClientToken);
+    }
+
 }

integration-tests/vault/src/test/java/io/quarkus/vault/WiremockProxy.java

@@ -1,5 +1,9 @@
 package io.quarkus.vault;
 
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.get;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
+
 import java.util.Collections;
 import java.util.Map;
 
@@ -8,10 +12,6 @@
 
 import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
 
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
-import static com.github.tomakehurst.wiremock.client.WireMock.get;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
-
 public class WiremockProxy implements QuarkusTestResourceLifecycleManager {
 
     public static final String PROXY_HOST = "localhost";

integration-tests/vault/src/test/resources/application-vault-aws-iam.properties

@@ -8,13 +8,9 @@ quarkus.vault.authentication.aws-iam.vault-server-id=vault.example.com
 quarkus.vault.authentication.aws-iam.aws-access-key=${vault-test.aws-user.access-key}
 quarkus.vault.authentication.aws-iam.aws-secret-key=${vault-test.aws-user.secret-key}
 
-#quarkus.vault.tls.skip-verify=true
 quarkus.vault.tls.ca-cert=src/test/resources/vault-tls.crt
 
-#quarkus.vault.log-confidentiality-level=low
-#quarkus.vault.renew-grace-period=10
+quarkus.vault.log-confidentiality-level=low
+quarkus.vault.renew-grace-period=10
 
 quarkus.log.category."io.quarkus.vault".level=DEBUG
-
-#quarkus.log.level=DEBUG
-#quarkus.log.console.level=DEBUG