Question about using API for AWS IAM Auth

1,535 views
Skip to first unread message

daniel stark

unread,
Jun 2, 2017, 6:54:28 AM6/2/17
to Vault
I'm trying to test AWS auth using IAM roles.  I'm able to enable the backend, create the role, and finally get a token using the CLI:
vault auth -method=aws role=myrole

However, I'm not sure how to do this using the API. The example request is:
   "role":"dev",
  "iam_http_request_method": "POST",
     "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=",
     "iam_request_body": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==",
    "iam_request_headers": "eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ=="
}'


I'm curious as to why I need to add these IAM authentication values for the API but not CLI. For example, if I create a base64 encoded header of 'localhost' (which I know is wrong; I don't know how to generate this), my JSON object would be:


{
 "role": "myrole",
  "iam_request_method": "POST",
 "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=",
 "iam_request_body":"QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==",
 "iam_request_headers": "bG9jYWxob3N0"
}


and predictably fails with the error:
{"errors":["didn't supply required authentication values"]}



I know that iam_request_method, iam_request_url, and iam_request_body are standard, so I'm trying to figure out how to programmatically generate iam_request_headers.

Thanks!

Joel Thompson

unread,
Jun 2, 2017, 12:43:38 PM6/2/17
to Vault
Hi Daniel,

Unfortunately, that's the most complex part of the IAM auth method.

My best suggestion is to use the AWS SDK in your language of choice to generate the HTTP request and then pull the headers out of there. Take a look at the source of the cli for an example of how to do this in go: https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go

I also have some code in python using boto3 I could dig up if you're using python (I planned on opening a PR for the hvac library, but it seems to he abandoned now). And I'm assuming it would be similar in other languages, but I'm not as familiar with their SDKs.

Hope this helps, let me know if you have more questions.

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/14c69c97-7e26-4ec1-b8df-0ea989fa5c85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeff Mitchell

unread,
Jun 2, 2017, 12:45:51 PM6/2/17
to Vault
Hi Daniel,

Also, just to further explain your original question, when you do it on the API there is a helper bit that runs within the context of the 'vault auth' command that does a lot of this for you. You can see it at https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go

When using the API directly you have to recreate this work.

Best,
Jeff



--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

Dan Stark

unread,
Jun 2, 2017, 1:45:04 PM6/2/17
to vault...@googlegroups.com
Thanks Joel and Jeff for the insight. Joel, as it turns out I am using python 3 if you'd be willing to share :) Both of your responses have helped me a ton so far! Thanks!

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEWVCPEkh%3D8nStaJg5zAttQwCRJiU5O9T8bfeLuihVuYQ%40mail.gmail.com.

Dan Stark

unread,
Jun 4, 2017, 2:22:00 PM6/4/17
to vault...@googlegroups.com
Hey Joel,

I'm getting tripped up getting the headers I need.  If you have that python boto3 implementation you mentioned where you generate the full signed HTTP request and grab the headers that would be helpful. I'll keep plugging away myself, and if I get it working will post to this thread.

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.

Joel Thompson

unread,
Jun 4, 2017, 9:02:12 PM6/4/17
to vault...@googlegroups.com
Hi Dan,

Sorry for taking a while, I was out of town for the weekend and didn't have my laptop with the code available.

This is a python 2 implementation, but it should show the magic incantation needed to get it just right: https://gist.github.com/joelthompson/378cbe449d541debf771f5a6a171c5ed

Credit goes to Dan Peebles (@copumpkin on GitHub) who first sent something like this to me.

--Joel

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAHW9wT64b61Jr8RFF39iZRQ%2BDDAV1VjE7Swd4HsykNoJOQWi_A%40mail.gmail.com.

Dan Stark

unread,
Jun 4, 2017, 9:11:18 PM6/4/17
to vault...@googlegroups.com
Thanks Joel! Greatly appreciated. I'll give it a shot tomorrow and let you know how it turns out. 

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QFNUNZmpwt2Qf5EQCD-qL6NZaAiO9YLTeH4fpJ0WJu2g%40mail.gmail.com.

Dan Stark

unread,
Jun 5, 2017, 6:51:03 AM6/5/17
to vault...@googlegroups.com
Hey Joel, the program works great for python2.  Here's my gist for a python3 implementation:
As I mention in the comments I am having problems the CaseInsensitive dict - is this possible for python3? I'm sorry for the noob question as this is outside of the scope of Vault now.

Joel Thompson

unread,
Jun 5, 2017, 8:57:20 AM6/5/17
to vault...@googlegroups.com
I managed to get something working at https://gist.github.com/joelthompson/378cbe449d541debf771f5a6a171c5ed#file-vault_aws_auth_py3-py

It's not necessarily the prettiest, but it does seem to generate the correct output.

Hope this helps,

--Joel

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAHW9wT62F_V7Xk_nUaYoVK9yF0GOUCxmDjxywDTy2Kcgg0yzwA%40mail.gmail.com.

Dan Stark

unread,
Jun 6, 2017, 7:27:22 AM6/6/17
to vault...@googlegroups.com
Hi Joel,

This is working great! As it turns out I had started going down the path of converting the b64 encoded bytes to a string with str() but thought "wow, this seems way harder to do in python 2 than 3, maybe I'm going completely down the wrong path."

Like I said this is working now and I'm not concerned about the "prettiness." I appreciate the effort and blazing fast response time in helping me!

In an effort play it forward I also submitted a PR which got merged to fix some typos in a comment and error message in the file you and Jeff referenced: https://github.com/hashicorp/vault/pull/2798

Thanks again for your help.
Dan

--Joel

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5Q%3D_ryuttbSZ9EP9f1b-PqNB4rnWhtUZFj-vBC0OanHXg%40mail.gmail.com.

Joel Thompson

unread,
Jun 6, 2017, 11:24:23 AM6/6/17
to vault...@googlegroups.com
Awesome, glad it works, and glad I could help! I'm not entirely sure if that's the "right" way to do it in Python 3, as I almost always use 2.

And thanks for fixing my typos :)

--Joel

--Joel

--Joel


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5QhdDAQABAdyytn0g0%2B9xQhaZ0Ep%3DU1%3DQ-gQOaCD8xb_A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/Mfi3O-lW60I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAHW9wT6kbtL%2BUQF0L3HcznkfH55SbB2AOyYD%2BzDj%3DBsv3FUmwQ%40mail.gmail.com.

Cara Khajavi

unread,
Feb 13, 2018, 3:05:41 AM2/13/18
to Vault
Hi! On line 23 of Joel's script https://gist.github.com/joelthompson/378cbe449d541debf771f5a6a171c5ed,  what is the meaning of awsIamServerId? I greatly appreciate anyones help! thanks!

Joel Thompson

unread,
Feb 13, 2018, 4:59:40 AM2/13/18
to vault...@googlegroups.com
Hi Cara,

It's the X-Vault-AWS-IAM-Server-ID header value as described in https://www.vaultproject.io/docs/auth/aws.html#iam-auth-method: "In addition, Vault allows you to require an additional header, X-Vault-AWS-IAM-Server-ID, to be present to mitigate against different types of replay attacks (such as a signed GetCallerIdentity request stolen from a dev Vault instance and used to authenticate to a prod Vault instance). Vault further requires that this header be one of the headers included in the AWS signature and relies upon AWS to authenticate that signature."

Vault admins configure this value (and whether it's required) by setting iam_server_id_header_value in the /auth/aws/config/client endpoint (see https://www.vaultproject.io/api/auth/aws/index.html#iam_server_id_header_value).

Hope this helps!

--Joel

Reply all
Reply to author
Forward
0 new messages