AWS IAM AUTH - Creating Role - The security token included in the request is invalid.
2,922 views
Skip to first unread message
weva...@gmail.com
Aug 31, 2018, 4:24:37 PM8/31/18
to Vault
Hi All, I'm currently following https://www.vaultproject.io/docs/auth/aws.html attempting to create a role for AWS IAM authentication.
When attempting to configure the policies on the role via CLI i receive the below error
When attempting to configure the policies on the role via CLI i receive the below error
vault write auth/aws/role/dev-role-iam auth_type=iam bound_iam_principal_arn=arn:aws
:iam::Redacted:role/VAULT_POC_ROLE policies=prod,dev max_ttl=500h
* unable to resolve ARN "arn:aws:iam::Redacted:role/VAULT_POC_ROLE" to internal ID: unable to fetch current caller: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: cba4ff87-ad5a-11e8-8776-bb57a52c522c
I've researched this issue of the course of a few days and much of my research points towards it being an IAM MFA issue suggestion that i provide MFA credentials in the request. I have not been able to verify any element of the api that supports passing in MFA credentials.
Can anyone point me in the right direction here?
Thanks!
I've researched this issue of the course of a few days and much of my research points towards it being an IAM MFA issue suggestion that i provide MFA credentials in the request. I have not been able to verify any element of the api that supports passing in MFA credentials.
Can anyone point me in the right direction here?
Thanks!
Joel Thompson
Aug 31, 2018, 6:57:20 PM8/31/18
to vault...@googlegroups.com
Hi,
That error generally means that you haven't given Vault valid AWS credentials to communicate with AWS. Can you confirm how you are configuring Vault with AWS credentials?
Thanks,
--Joel
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/0d5b0d78-566e-47d4-a4e0-880db75f7091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Wesley Evans
Aug 31, 2018, 7:42:47 PM8/31/18
to vault...@googlegroups.com
Thanks for the response.
I am providing the secret key and access key via an earlier step in the referenced workflow:
I am providing the secret key and access key via an earlier step in the referenced workflow:
$ vault write auth/aws/config/client secret_key=vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj access_key=VKIAJBRHKH6EVTTNXDHA I'm currently extracting the access_key and secret_key from the ec2 instance meta data via curl http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5TW1Ykx_6VxMjsEvxbKV%3DkcEre9hdqmpTFduXM-LssxgA%40mail.gmail.com.
Phil Frost
Aug 31, 2018, 9:48:44 PM8/31/18
to vault...@googlegroups.com
The credentials from an EC2 instance profile have an access key, a secret key, and a token. You're missing the token, hence the error.
"If not specified, Vault will attempt to use standard environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) or IAM EC2 instance role credentials if available."
This is the easiest route, since the credentials are temporary and will expire. If you leave it to the default credential discovery logic to get the credentials, it will get new credentials automatically.
This is the easiest route, since the credentials are temporary and will expire. If you leave it to the default credential discovery logic to get the credentials, it will get new credentials automatically.
Wesley Evans
Sep 1, 2018, 11:06:31 AM9/1/18
to vault...@googlegroups.com
thanks for the suggestion, however even when adding the token with security_token=“token” along with access key and secret key the issue persists .
This is what led me to suspect MFA instead of an issue with token directly.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAP4Jji5-1o0GznpjNGMQy7mJc6Hiozo%3DE41fssgaPsetHAknoA%40mail.gmail.com.
Joel Thompson
Sep 1, 2018, 2:08:47 PM9/1/18
to vault...@googlegroups.com
Vault's config/client method doesn't accept a security_token parameter. (These credentials are temporary and expiring, and so you'd need some process to update them on a regular basis if Vault did accept the security_token.)
If you are running Vault on the EC2 instance, you should be able to simply unset these variables, i.e.:
vault write auth/aws/config/client access_key= secret_key=
and then Vault will read the credentials directly out of the EC2 instance metadata.
--Joel
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAJVv0J3-zpazBmcnVHhj3cPmc%2B9SdWxf%2BP0p%3D6Hs-95t1ZZovw%40mail.gmail.com.
Wesley Evans
Sep 4, 2018, 9:22:20 AM9/4/18
to vault...@googlegroups.com
Hey thanks for the help! This resolved the issue.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5Tav86UqnvKDK9QPLu6FQti6LTP4-SObDhAvc3Das2bMQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages