Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better support for multiple AWS Accounts in AWS Auth Backend #3330

Closed
hrzbrg opened this issue Sep 13, 2017 · 2 comments · Fixed by #3907
Closed

Better support for multiple AWS Accounts in AWS Auth Backend #3330

hrzbrg opened this issue Sep 13, 2017 · 2 comments · Fixed by #3907

Comments

@hrzbrg
Copy link

hrzbrg commented Sep 13, 2017

Feature Request:

Disclaimer: I hand this in as a feature request, because from my understanding the current behavior of the following is not a bug but the intended behavior.

From my understanding the Create Role function can take parameters to bind a role to certain AWS facts like bound_account_id for example. However in our company setup we maintain several AWS Accounts. They hold for example the staging environment and developer test environments. So the applications running in these accounts are mostly the same (a subset of ~100 microservices).

I have Vault running in one of these accounts and the server has an IAM role which can assume a role on other accounts as described here in the docs.

What I would like to do is, to create a Vault role that a service can use from different accounts. However if I give the Create Role function multiple IDs as bound_account_id (or multiple VPC IDs as bound_vpc_id it happily accepts it, but I can not authenticate.

Role:

{
  "allow_instance_migration": false,
  "auth_type": "ec2",
  "bound_account_id": "",
  "bound_ami_id": "",
  "bound_iam_instance_profile_arn": "",
  "bound_iam_principal_arn": "",
  "bound_iam_principal_id": "",
  "bound_iam_role_arn": "",
  "bound_region": "eu-west-1",
  "bound_subnet_id": "",
  "bound_vpc_id": "vpc-12341234, vpc-11112222",
  "disallow_reauthentication": false,
  "inferred_aws_region": "",
  "inferred_entity_type": "",
  "max_ttl": 3600,
  "period": 0,
  "policies": [
    "dummyrole",
    "default"
  ],
  "resolve_aws_unique_ids": true,
  "role_tag": "",
  "ttl": 0
}

Error:

{"errors":["Error validating instance: VPC ID \"vpc-12341234\" does not satisfy the constraint on role \"dummyrole\""]}

It would be great to see the above role working, or a good hint on how the intended way of using roles in the described setup would be.
@joelthompson
Copy link
Contributor

Hi @hrzbrg -- correct, this is a limitation of the auth backend. You would need to create one role for each of the bound VPCs, though you can associate the same set of policies with each of those roles.

As an alternative workaround, you could switch to using the aws auth_type and have each of your instances call sts:AssumeRole with the same role. You could then just bind a single Vault role to that role ARN. (Basically, this just uses sts:AssumeRole as a layer of abstraction.)

@jgrossmac
Copy link

+1 👍 Would like to see support for multiple AWS accounts as well.

@joelthompson joelthompson mentioned this issue Jan 16, 2018
Closed
@joelthompson joelthompson mentioned this issue Feb 4, 2018
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auth/aws: Allow lists in binds joelthompson/vault
3 participants
@hrzbrg @joelthompson @jgrossmac