hashicorp
diff --git a/‎changelog/_14001.txt‎
Lines changed: 3 additions & 0 deletions b/‎changelog/_14001.txt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎ui/app/forms/sync/aws-sm.ts‎
Lines changed: 68 additions & 45 deletions b/‎ui/app/forms/sync/aws-sm.ts‎
Lines changed: 68 additions & 45 deletions
diff --git a/‎ui/app/forms/sync/azure-kv.ts‎
Lines changed: 63 additions & 43 deletions b/‎ui/app/forms/sync/azure-kv.ts‎
Lines changed: 63 additions & 43 deletions
diff --git a/‎ui/app/forms/sync/create-destination.ts‎
Lines changed: 104 additions & 0 deletions b/‎ui/app/forms/sync/create-destination.ts‎
Lines changed: 104 additions & 0 deletions
@@ -0,0 +1,3 @@
+```release-note:feature
+**Secrets Sync UI**: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations
+```
@@ -3,63 +3,86 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { regions } from 'vault/helpers/aws-regions';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
+import CreateDestinationForm from './create-destination';
 
 import type { SystemWriteSyncDestinationsAwsSmNameRequest } from '@hashicorp/vault-client-typescript';
 
 type AwsSmFormData = SystemWriteSyncDestinationsAwsSmNameRequest & {
   name: string;
+  credential_type: CredentialType;
 };
 
-export default class AwsSmForm extends Form<AwsSmFormData> {
-  formFieldGroups = [
-    new FormFieldGroup('default', [
-      commonFields.name,
-      new FormField('region', 'string', {
-        subText:
-          'For AWS secrets manager, the name of the region must be supplied, something like “us-west-1.” If empty, Vault will use the AWS_REGION environment variable if configured.',
-        editDisabled: true,
-      }),
-      new FormField('role_arn', 'string', {
-        label: 'Role ARN',
-        subText:
-          'Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate.',
-      }),
-      new FormField('external_id', 'string', {
-        label: 'External ID',
-        subText:
-          'Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination.',
-      }),
-    ]),
-    new FormFieldGroup('Credentials', [
-      new FormField('access_key_id', 'string', {
-        label: 'Access key ID',
-        subText:
-          'Access key ID to authenticate against the secrets manager. If empty, Vault will use the AWS_ACCESS_KEY_ID environment variable if configured.',
-        sensitive: true,
-        noCopy: true,
-      }),
-      new FormField('secret_access_key', 'string', {
-        label: 'Secret access key',
-        subText:
-          'Secret access key to authenticate against the secrets manager. If empty, Vault will use the AWS_SECRET_ACCESS_KEY environment variable if configured.',
-        sensitive: true,
-        noCopy: true,
-      }),
-    ]),
-    new FormFieldGroup('Advanced configuration', [
-      commonFields.granularity,
-      commonFields.secretNameTemplate,
-      commonFields.customTags,
-    ]),
-  ];
+export default class AwsSmForm extends CreateDestinationForm<AwsSmFormData> {
+  get isAccountPluginConfigured() {
+    return !!this.data.access_key_id;
+  }
+
+  get isWifPluginConfigured() {
+    const { identity_token_audience, identity_token_ttl, role_arn } = this.data;
+    return !!identity_token_audience || !!identity_token_ttl || !!role_arn;
+  }
+
+  accountCredentialGroup = new FormFieldGroup('IAM credentials', [
+    new FormField('access_key_id', 'string', {
+      label: 'Access key ID',
+      subText:
+        'Access key ID to authenticate against the secrets manager. If empty, Vault will use the AWS_ACCESS_KEY_ID environment variable if configured.',
+      sensitive: true,
+      noCopy: true,
+    }),
+    new FormField('secret_access_key', 'string', {
+      label: 'Secret access key',
+      subText:
+        'Secret access key to authenticate against the secrets manager. If empty, Vault will use the AWS_SECRET_ACCESS_KEY environment variable if configured.',
+      sensitive: true,
+      noCopy: true,
+    }),
+  ]);
+
+  get wifCredentialGroup() {
+    return this.createWifCredentialGroup();
+  }
+
+  get formFieldGroups() {
+    const credentialGroup =
+      this.credentialType === CredentialType.ACCOUNT ? this.accountCredentialGroup : this.wifCredentialGroup;
+    return [
+      new FormFieldGroup('Destination details', [
+        this.commonFields.name,
+        new FormField('region', 'string', {
+          possibleValues: regions(),
+          noDefault: true,
+          subText:
+            'For AWS secrets manager, the name of the region must be supplied, something like “us-west-1.” If empty, Vault will use the AWS_REGION environment variable if configured.',
+          editDisabled: true,
+        }),
+        new FormField('role_arn', 'string', {
+          label: 'Role ARN',
+          subText:
+            'Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate.',
+        }),
+        new FormField('external_id', 'string', {
+          label: 'External ID',
+          subText:
+            'Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination.',
+        }),
+      ]),
+      credentialGroup,
+      new FormFieldGroup('Advanced configuration', [
+        this.commonFields.granularity,
+        this.commonFields.secretNameTemplate,
+        this.commonFields.customTags,
+      ]),
+    ];
+  }
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<AwsSmFormData>('aws-sm', this.data, this.isNew);
+    const data = this.getPayload<AwsSmFormData>(DestinationType.AwsSm, this.data, this.isNew);
     return { ...formState, data };
   }
 }
@@ -3,61 +3,81 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
 
 import type { SystemWriteSyncDestinationsAzureKvNameRequest } from '@hashicorp/vault-client-typescript';
+import CreateDestinationForm from './create-destination';
 
 type AzureKvFormData = SystemWriteSyncDestinationsAzureKvNameRequest & {
   name: string;
+  credential_type: CredentialType;
 };
 
-export default class AzureKvForm extends Form<AzureKvFormData> {
-  formFieldGroups = [
-    new FormFieldGroup('default', [
-      commonFields.name,
-      new FormField('key_vault_uri', 'string', {
-        label: 'Key Vault URI',
-        subText:
-          'URI of an existing Azure Key Vault instance. If empty, Vault will use the KEY_VAULT_URI environment variable if configured.',
-        editDisabled: true,
-      }),
-      new FormField('tenant_id', 'string', {
-        label: 'Tenant ID',
-        subText:
-          'ID of the target Azure tenant. If empty, Vault will use the AZURE_TENANT_ID environment variable if configured.',
-        editDisabled: true,
-      }),
-      new FormField('cloud', 'string', {
-        subText: 'Specifies a cloud for the client. The default is Azure Public Cloud.',
-        editDisabled: true,
-      }),
-      new FormField('client_id', 'string', {
-        label: 'Client ID',
-        subText:
-          'Client ID of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_ID environment variable if configured.',
-      }),
-    ]),
-    new FormFieldGroup('Credentials', [
-      new FormField('client_secret', 'string', {
-        subText:
-          'Client secret of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_SECRET environment variable if configured.',
-        sensitive: true,
-        noCopy: true,
-      }),
-    ]),
-    new FormFieldGroup('Advanced configuration', [
-      commonFields.granularity,
-      commonFields.secretNameTemplate,
-      commonFields.customTags,
-    ]),
-  ];
+export default class AzureKvForm extends CreateDestinationForm<AzureKvFormData> {
+  // the "clientSecret" param is not checked because it's never returned by the API.
+  // thus we can never say for sure if the account accessType has been configured so we always return false
+  isAccountPluginConfigured = false;
+
+  get isWifPluginConfigured() {
+    const { identity_token_audience, identity_token_ttl } = this.data;
+    return !!identity_token_audience || !!identity_token_ttl;
+  }
+
+  accountCredentialGroup = new FormFieldGroup('Client secret', [
+    new FormField('client_secret', 'string', {
+      subText:
+        'Client secret of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_SECRET environment variable if configured.',
+      sensitive: true,
+      noCopy: true,
+    }),
+  ]);
+
+  get wifCredentialGroup() {
+    return this.createWifCredentialGroup();
+  }
+
+  get formFieldGroups() {
+    const credentialGroup =
+      this.credentialType === CredentialType.ACCOUNT ? this.accountCredentialGroup : this.wifCredentialGroup;
+    return [
+      new FormFieldGroup('Destination details', [
+        this.commonFields.name,
+        new FormField('key_vault_uri', 'string', {
+          label: 'Key Vault URI',
+          subText:
+            'URI of an existing Azure Key Vault instance. If empty, Vault will use the KEY_VAULT_URI environment variable if configured.',
+          editDisabled: true,
+        }),
+        new FormField('tenant_id', 'string', {
+          label: 'Tenant ID',
+          subText:
+            'ID of the target Azure tenant. If empty, Vault will use the AZURE_TENANT_ID environment variable if configured.',
+          editDisabled: true,
+        }),
+        new FormField('cloud', 'string', {
+          subText: 'Specifies a cloud for the client. The default is Azure Public Cloud.',
+          editDisabled: true,
+        }),
+        new FormField('client_id', 'string', {
+          label: 'Client ID',
+          subText:
+            'Client ID of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_ID environment variable if configured.',
+        }),
+      ]),
+      credentialGroup,
+      new FormFieldGroup('Advanced configuration', [
+        this.commonFields.granularity,
+        this.commonFields.secretNameTemplate,
+        this.commonFields.customTags,
+      ]),
+    ];
+  }
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<AzureKvFormData>('azure-kv', this.data, this.isNew);
+    const data = this.getPayload<AzureKvFormData>(DestinationType.AzureKv, this.data, this.isNew);
     return { ...formState, data };
   }
 }
@@ -0,0 +1,104 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import { findDestination } from 'core/helpers/sync-destinations';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
+
+import { tracked } from '@glimmer/tracking';
+
+export const DEFAULT_IDENTITY_TOKEN_TTL = '3600s';
+
+export default class CreateDestinationForm<T extends object> extends Form<T> {
+  @tracked credentialType: CredentialType = CredentialType.ACCOUNT;
+
+  commonFields = {
+    name: new FormField('name', 'string', {
+      subText: 'Specifies the name for this destination.',
+      editDisabled: true,
+    }),
+
+    secretNameTemplate: new FormField('secret_name_template', 'string', {
+      subText:
+        'Go-template string that indicates how to format the secret name at the destination. The default template varies by destination type but is generally in the form of "vault-{{ .MountAccessor }}-{{ .SecretPath }}" e.g. "vault-kv_9a8f68ad-my-secret-1". Optional.',
+    }),
+
+    granularity: new FormField('granularity', 'string', {
+      editType: 'radio',
+      label: 'Secret sync granularity',
+      possibleValues: [
+        {
+          label: 'Secret path',
+          subText: 'Sync entire secret contents as a single entry at the destination.',
+          value: 'secret-path',
+        },
+        {
+          label: 'Secret key',
+          subText: 'Sync each key-value pair of secret data as a distinct entry at the destination.',
+          helpText:
+            'Only top-level keys will be synced and any nested or complex values will be encoded as a JSON string.',
+          value: 'secret-key',
+        },
+      ],
+    }),
+
+    customTags: new FormField('custom_tags', 'object', {
+      subText:
+        'An optional set of informational key-value pairs added as additional metadata on secrets synced to this destination. Custom tags are merged with built-in tags.',
+      editType: 'kv',
+    }),
+  };
+
+  getPayload<T>(type: DestinationType, data: T, isNew: boolean) {
+    const { maskedParams, readonlyParams } = findDestination(type);
+    const payload: T = { ...data };
+
+    // the server returns ****** for sensitive fields
+    // these are represented as maskedParams in the sync-destinations helper
+    // when editing, remove these fields from the payload if they haven't been changed
+    if (!isNew) {
+      maskedParams.forEach((maskedParam) => {
+        const key = maskedParam as keyof T;
+        const value = (payload[key] as string) || '';
+        // if the value is asterisks, remove it from the payload
+        if (value.match(/^\*+$/)) {
+          delete payload[key];
+        }
+      });
+
+      // to preserve the original Ember Data payload structure, remove fields that are not editable
+      // since editing is disabled in the form the value will not change so this is mostly to satisfy existing test conditions
+      readonlyParams.forEach((readonlyParam) => {
+        delete payload[readonlyParam as keyof T];
+      });
+    }
+
+    return payload;
+  }
+
+  protected createWifCredentialGroup(additionalFields: FormField[] = []): FormFieldGroup {
+    const commonFields = [
+      new FormField('identity_token_audience', 'string', {
+        label: 'Identity token audience',
+        sensitive: true,
+        noCopy: true,
+      }),
+      new FormField('identity_token_key', 'string', {
+        label: 'Identity token key',
+        sensitive: true,
+        noCopy: true,
+      }),
+      new FormField('identity_token_ttl', 'string', {
+        label: 'Identity token time to live (TTL)',
+        editType: 'ttl',
+        helperTextEnabled: 'The TTL of generated tokens.',
+        hideToggle: true,
+      }),
+    ];
+    return new FormFieldGroup('WIF credentials', [...additionalFields, ...commonFields]);
+  }
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:feature
	`2`	`+Secrets Sync UI: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations`
	`3`	+```