Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creation of aws auth role with a bound iam role doesn't work since 0.7.3 #2852

Closed
shayangz opened this issue Jun 14, 2017 · 4 comments
Closed

Creation of aws auth role with a bound iam role doesn't work since 0.7.3 #2852

shayangz opened this issue Jun 14, 2017 · 4 comments

Comments

@shayangz
Copy link

We used to be able to create an aws auth role that is bound to an iam role using a command line this

vault write auth/aws/role/<role-name> auth_type=iam inferred_entity_type=ec2_instance inferred_aws_region=<region> bound_iam_principal_arn=arn:aws:iam::<account-id>:role/<iam-role-name> bound_iam_instance_profile_arn=arn:aws:iam::<account-id>:instance-profile/<iam-instance-profile-name> policies=dev bound_vpc_id=<vpc-id> period=6h

Since upgrading to 0.7.3 though this command doesn't work anymore. We get this error now:

Error writing data to auth/aws/role/<role-name>: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/aws/role/<role-name>
Code: 400. Errors:

* failed updating the unique ID of ARN "arn:aws:iam::<account-id>:role/<iam-role-name>": &awserr.requestError{awsError:(*awserr.baseError)(0xc426ae5c00), statusCode:403, requestID:"<guid>"}

Judging by the error message, it seems to be related to #2814.

We use auth/aws relying on the IAM credentials of the vault instances.

With this release do we need to add new permissions to the vault instance profile to be able to do this query for unique ID or is this just a regression?
@joelthompson
Copy link
Contributor

Hi @shayangz -- this was an intentional change, but I should have worked with the Vault team to be more explicit about communicating this change. I'm sorry for causing any confusion or issues for you.

Two options for you:

  1. (Recommended) Add iam:GetRole and iam:GetUser permissions to the Vault instance profile, which increases the security of the bindings. (TBC, if you will only ever bind to IAM roles, you only need iam:GetRole, but if you also want to bind to IAM users, you'll need to add iam:GetUser as well.)
  2. Add resolve_aws_unique_ids=false to your vault write command, which restores the previous behavior, but see the notes on this parameter in the docs (just search for resolve_aws_unique_ids) for the security implications of setting this to false.

Hope this helps!

@shayangz
Copy link
Author

Thanks for the quick reply. Going with option 1 resolved the issue.

@ezyang
Copy link
Contributor

ezyang commented Apr 9, 2018

resolve_aws_unique_ids no longer present in the linked docs

@joelthompson
Copy link
Contributor

The API details have been moved into a separate page. See https://www.vaultproject.io/api/auth/aws/index.html#resolve_aws_unique_ids

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ezyang @joelthompson @shayangz