Add STS signing for AWS auth

[jasonodonnell]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:

provider/auth_login: Automatically sign requests when using AWS IAM auth

I'm still looking for a way to unit test this since it requires instances profiles on AWS, but this has tested well on an EC2 VM using:

provider "vault" {
  address         = "http://127.0.0.1:8200"
  auth_login {
    path = "auth/aws/login"
    method = "aws"
    parameters = {
      role = "dev-role-iam"
    }
  }
}

data "vault_generic_secret" "example" {
  path = "secret/test"
}

Bash script to setup test:

#!/bin/bash

export VAULT_TOKEN=root
export VAULT_ADDR=http://127.0.0.1:8200
ROLE_ARN='YOUR ARN HERE'

echo "bar" | vault kv put secret/test foo=-

vault policy write my-policy - << EOF
path "secret/data/test" {
  capabilities = ["create", "read", "update", "list"]
}

path "auth/token/create" {
capabilities = ["create", "read", "update", "list"]
}
EOF

vault auth enable aws
vault write -force auth/aws/config/client

vault write auth/aws/role/dev-role-iam \
  auth_type=iam \
  bound_iam_principal_arn=${ROLE_ARN?} \
  policies=my-policy

Fixes #866.

[jasonodonnell]

I might be able to mock IAM similar to how Vault does it, so I'm looking into this: https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/path_login_test.go#L548.

[mengesb]

There's an ec2 metadata mock that you could use potentially. I use it on my bash scripted vault-iam-auth I linked in the other issue linked here... Check it out. I also have the Google metadata mock service there too so you could add that provider as well if you're fired up at the keyboard. I'm willing to help test!

[mengesb]

May need to sort both ec2 instance auth and iam auth for AWS, etc al

[tomhjp]

LGTM

[sekemp]

Thanks to all involved for getting this feature built and merged in so quickly. This is extremely useful for me.

[angeloskaltsikis]

Hey @jasonodonnell ,
We had a strange behavior using this feature.
While this worked as a charm from our local Terragrunt/Terraform installation we received this strange message when running it from Atlantis.

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message>
  </Error>
  <RequestId>blahblahblah</RequestId>
</ErrorResponse>

This has been fixed by introducing the parameter sts_region in our provider.
Is there any chance that you know why we encountered that?

[mengesb]

This might relate to the defaults for region APIs. i.e., some APIs while they have a short form (sts.amazonaws.com) may also be accessed via the regional endpoint (i.e. sts.eu-west-1.amazonaws.com) if this is one of the regional APIs (I've not checked for this circumstance). There may be a default to scope to the base default region of us-east-1 which is the default for just about every AWS service, regional API specific or not.