auth.aws_iam method arguments #270
Description
Ran into some difficulty using the aws_iam auth method here in the vault-ruby library. While my specific issue has a technical resolution, I also often wonder why things went wrong.
Perhaps it's a matter of semantics, but in this particular case I think the auth.aws_iam method signature is unnecessarily confusing and goes to usability. After all, the signatures are meant to be read by humans.
def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil)
- role - the vault role, not aws
- credentials_provider - obviously AWS since there's no corresponding concept in vault
- iam_auth_header_value - again, clearly an argument passed to AWS
- sts_endpoint - also AWS
- route - a vault parameter
There are a couple of things here about the route argument:
First is that it appears last and after 3 AWS arguments. Basically, the two vault arguments are bookending the AWS argument list. It might be more clear if the vault arguments were together, followed by the AWS arguments.
Second, route is a very REST-specific term? I might have missed it, but I can't ever recall coming across the term in the vault documentation. Typically the vault docs use path to refer to that component of the URL.
FWIW, my brain - perhaps lazy as it is - sees the first two arguments and knows they need to be filled in, then sees iam_auth_header_value and basically stops reading. If it sees route at the end at all, it doesn't recognize it as vault terminology and so ignores it as well.