Vault: Creation of aws auth role with a bound iam role doesn't work since 0.7.3
We used to be able to create an aws auth role that is bound to an iam role using a command line this
vault write auth/aws/role/<role-name> auth_type=iam inferred_entity_type=ec2_instance inferred_aws_region=<region> bound_iam_principal_arn=arn:aws:iam::<account-id>:role/<iam-role-name> bound_iam_instance_profile_arn=arn:aws:iam::<account-id>:instance-profile/<iam-instance-profile-name> policies=dev bound_vpc_id=<vpc-id> period=6h
Since upgrading to 0.7.3 though this command doesn't work anymore. We get this error now:
Error writing data to auth/aws/role/<role-name>: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/auth/aws/role/<role-name>
Code: 400. Errors:
* failed updating the unique ID of ARN "arn:aws:iam::<account-id>:role/<iam-role-name>": &awserr.requestError{awsError:(*awserr.baseError)(0xc426ae5c00), statusCode:403, requestID:"<guid>"}
Judging by the error message, it seems to be related to #2814.
We use auth/aws relying on the IAM credentials of the vault instances.
With this release do we need to add new permissions to the vault instance profile to be able to do this query for unique ID or is this just a regression?
shayangz
All 4 comments
Hi @shayangz -- this was an intentional change, but I should have worked with the Vault team to be more explicit about communicating this change. I'm sorry for causing any confusion or issues for you.
Two options for you:
- (Recommended) Add
iam:GetRoleandiam:GetUserpermissions to the Vault instance profile, which increases the security of the bindings. (TBC, if you will only ever bind to IAM roles, you only neediam:GetRole, but if you also want to bind to IAM users, you'll need to addiam:GetUseras well.) - Add
resolve_aws_unique_ids=falseto yourvault writecommand, which restores the previous behavior, but see the notes on this parameter in the docs (just search forresolve_aws_unique_ids) for the security implications of setting this to false.
Hope this helps!
joelthompson
on 14 Jun 2017
Thanks for the quick reply. Going with option 1 resolved the issue.
shayangz
on 14 Jun 2017
resolve_aws_unique_ids no longer present in the linked docs
ezyang
on 10 Apr 2018
The API details have been moved into a separate page. See https://www.vaultproject.io/api/auth/aws/index.html#resolve_aws_unique_ids
joelthompson
on 10 Apr 2018
Related issues
jasonmcintosh
路
3Comments
adamroddick
路
3Comments
gtmtech
路
3Comments
anthonyGuo
路
3Comments
frntn
路
3Comments
Most helpful comment
Hi @shayangz -- this was an intentional change, but I should have worked with the Vault team to be more explicit about communicating this change. I'm sorry for causing any confusion or issues for you.
Two options for you:
iam:GetRoleandiam:GetUserpermissions to the Vault instance profile, which increases the security of the bindings. (TBC, if you will only ever bind to IAM roles, you only neediam:GetRole, but if you also want to bind to IAM users, you'll need to addiam:GetUseras well.)resolve_aws_unique_ids=falseto yourvault writecommand, which restores the previous behavior, but see the notes on this parameter in the docs (just search forresolve_aws_unique_ids) for the security implications of setting this to false.Hope this helps!