Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM auth token fails to renew #2781

Closed
shayangz opened this issue May 30, 2017 · 4 comments
Closed

AWS IAM auth token fails to renew #2781

shayangz opened this issue May 30, 2017 · 4 comments
Milestone
0.7.3

Comments

@shayangz
Copy link

For auth tokens generated using aws iam auth type that have a bound iam profile instance we are not able to renew the tokens.

This is on Vault v0.7.2.

Auth role is defined as

$vault write auth/aws/role/iam-role auth_type=iam inferred_entity_type=ec2_instance inferred_aws_region=<region> bound_iam_instance_profile_arn=arn:aws:iam::<account-id>:instance-profile/<path> policies=dev bound_vpc_id=<vpc-id> max_ttl=24h

Successful auth happens

$vault auth -method=aws header_value=<header> role=iam-role

On inspecting the token, everything looks fine

$vault token-lookup
Key             	Value
---             	-----
accessor        	<guid>
creation_time   	1495943033
creation_ttl    	86400
display_name    	<display-name>
expire_time     	2017-05-29T03:43:53.150967985Z
explicit_max_ttl	0
id              	<guid>
issue_time      	2017-05-28T03:43:53.15096762Z
meta            	map[inferred_entity_type:ec2_instance account_id:<account-id> auth_type:iam canonical_arn:arn:aws:iam::<account-id>:role/<inferred-role> client_arn:arn:aws:sts::<account-id>:assumed-role/<inferred-role>/<instance-id> inferred_aws_region:<region> inferred_entity_id:<instance-id>]
num_uses        	0
orphan          	true
path            	auth/aws/login
policies        	[default dev]
renewable       	true
ttl             	86220

but when we attempt to renew the token

$vault token-renew
Error renewing token: Error making API request.

URL: PUT http://<vault-server-fqdn>:8200/v1/auth/token/renew-self
Code: 500. Errors:

* 1 error occurred:

* failed to renew entry: role no longer bound to arn "arn:aws:iam::<account-id>:role/<inferred-role>"

Interestingly even though the role uses bound_iam_instance_profile_arn, both in meta of the token and in the error message, the inferred role are reference.
@jefferai
Copy link
Member

jefferai commented Jun 3, 2017

@joelthompson Can you take a look?

@jefferai jefferai added this to the 0.7.3 milestone Jun 3, 2017
@joelthompson
Copy link
Contributor

@jefferai -- ack, will take a look.

@joelthompson
Copy link
Contributor

@shayangz, thanks for the bug report! I believe I've tracked this down to a bug which is triggered when you are using the iam auth type, inferring ec2_instance, and NOT specifying any bound_iam_principal_arn.

If this is critical for you, I believe you should be able to update your role to specify the bound_iam_principal_arn to match arn:aws:iam::<account-id>:role/<inferred-role>. I don't believe this will cause any security issues as you're experiencing a "fail closed" bug in ensuring that the bound_iam_principal_arn doesn't change -- I was being overly aggressive in ensuring it didn't change by breaking the use case where it was never set at all (and only relied on inferred bindings).

@jefferai -- I hope to have a public PR to fix this within the next day since it's a relatively simple fix.

joelthompson added a commit to joelthompson/vault that referenced this issue Jun 6, 2017
@joelthompson
Check if there's a bound iam arn when renewing
9df7ded 
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes hashicorp#2781
@joelthompson joelthompson mentioned this issue Jun 6, 2017
Merged
@shayangz
Copy link
Author

shayangz commented Jun 7, 2017

Thanks, @joelthompson. Your workout solves the issue for us now. Looking forward to the fix getting released.

jefferai pushed a commit that referenced this issue Jun 7, 2017
@joelthompson @jefferai
Check if there's a bound iam arn when renewing (#2819)
ee55e36 
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781
@flosell flosell mentioned this issue Sep 22, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.7.3
Development

No branches or pull requests
3 participants
@jefferai @joelthompson @shayangz