-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with auth/aws/login when behind a kiam sts provider in kubernetes #564
Comments
We've just hit this too exact same setup and version:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
versions:
aws_region
us-east-1
hvac
0.10.0
vault server version
Version 0.10.4
vault client version
Vault v1.2.3
vault_aws_auth_backend_role role:
This issue seems to occuring when using both the
hvac.api.auth_methods.aws.Aws.iam_login
andclient.auth_aws_iam
methods and in a kubernetes environment behind a kiam service (https://github.com/uswitch/kiam)Essentially when passing in credentials to the above methods, hvac seems to call out to STS and STS responds with
The security token included in the request is invalid
.At first I thought it could be that hvac is making a different call to sts than what boto3 is trying to do, but then I can use vault cli to perform the same action and vault cli can actually complete the request. See below:
After digging around in the vault cli code, it seems that vault cli is using botocore to construct a credentials object and having the library sign it with sigv4 signing, and then AWS is giving back credentials that then Vault Client can use to auth against the Vault Server backend yielding a token for the session.
Below is more or less some simple code demonstrating the event as well as the error
Lastly we thought it might be related to
bound_account_ids
but we tried setting that on the role and nothing really changed.I'll have to use python to subprocess out to vault cli to get a token in memory for now, but if this can be looked into that would be great. We would really like a purely pythonic way to retrieve the vault token from vault using the auth/aws/login endpoint.
The text was updated successfully, but these errors were encountered: