Hashicorp Vault AWS Auth backend for IAM user with valid signature is not working

[siddheshwar more]

I'm working on the Hashicorp Vault - using AWS Auth backend with AWS IAM. 

Problem Statement - 

I'm getting below error while triggering the vault write auth/aws/login role=dev-role-iam command- 

Error writing data to auth/aws/login: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/aws/login

Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">

  <Error>

    <Type>Sender</Type>

    <Code>SignatureDoesNotMatch</Code>

    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>

  </Error>

  <RequestId>c4aee143-d37c-11e7-9fd6-99a4a8d95498</RequestId>

</ErrorResponse>

Command- 

vault write auth/aws/login role=dev-role-iam \

        iam_http_request_method=POST \

        iam_request_url=aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8= \

        iam_request_body=QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ== \

        iam_request_headers=eyJBdXRob3JpemF0aW9uIjpbIkFXUzQtSE1BQy1TSEEyNTYgQ3JlZGVudGlhbD1BS0lNUlpTSjJRNFZBSUFBSktaRi8yMDE3MTEyNy91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtYXdzLWlhbS1zZXJ2ZXItaWQsIFNpZ25hdHVyZT00YmZlMGMxNTMzZDQ2ODdiNTg5YjU5MzdlY2E4YTY1NzAzZGNiNTg2MTZlMmIzMmMyZjA5ZTRlZTI5MDVjYWRmIl0sIkNvbnRlbnQtTGVuZ3RoIjpbIjQzIl0sIkNvbnRlbnQtVHlwZSI6WyJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7IGNoYXJzZXQ9dXRmLTgiXSwiVXNlci1BZ2VudCI6WyJhd3Mtc2RrLWdvLzEuMTIuMjMgKGdvMS45LjI7IGxpbnV4OyBhbWQ2NCkiXSwiWC1BbXotRGF0ZSI6WyIyMDE3MTEyN1QxNDA5MDFaIl0sIlgtVmF1bHQtQXdzLUlhbS1TZXJ2ZXItSWQiOlsidmF1bHQuZXhhbXBsZS5jb20iXX0=

{"Authorization":["AWS4-HMAC-SHA256 Credential=AKIMRZSJ2Q4VAIAAJKZF/20171127/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-vault-aws-iam-server-id, Signature=4bfe0c1533d4687b589b5937eca8a65703dcb58616e2b32c2f09e4ee2905cadf"],"Content-Length":["43"],"Content-Type":["application/x-www-form-urlencoded; charset=utf-8"],"User-Agent":["aws-sdk-go/1.12.23 (go1.9.2; linux; amd64)"],"X-Amz-Date":["20171127T140901Z"],"X-Vault-Aws-Iam-Server-Id":["vault.example.com"]}

I'm using the signature generated using  -https://gist.github.com/blelump/9e6880a87fefa6397032#file-aws_signed_request_v4-rb-L74 

Debugging for access_key/secrete_key 

When I use the signature generated by vault then above command works fine (with same access_key/secrete_key) .

  to get the signature generated by vault for this command-    ./vault auth -method=aws header_value=vault.example.com role=dev-role-iam

I've putted some logs at https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go#L71 and build the vault binary locally. 

[siddheshwar more]

I've able to find out the way the vault generate the signature - https://github.com/aws/aws-sdk-go/blob/master/aws/signer/v4/v4.go#L654-L662

Is there any ruby code/sdk support which does this ?

[Joel Thompson]

Hi,

I realize this is a bit hold, but hopefully this can still help!

It's hard to say why you were getting that particular error without knowing the exact script you ran because there's a lot of subtlety in AWS request signing. I think this is a more concise way of generating the values you need in the format Vault expects, using the AWS SDK for Ruby to do the heavy lifting: https://gist.github.com/joelthompson/378cbe449d541debf771f5a6a171c5ed#file-vault_aws_auth-rb

Sample usage showing that it outputs the data in the format Vault expects:

$ ME=$(aws sts get-caller-identity --query "Arn" --output text)

$ vault auth-enable aws

2018/01/01 17:37:54.102015 [INFO ] core: enabled credential backend: path=aws/ type=aws

Successfully enabled 'aws' at 'aws'!

$ vault write auth/aws/role/joel bound_iam_principal_arn=$ME

Success! Data written to: auth/aws/role/joel

$ ./vault_aws_auth.rb | xargs vault write auth/aws/login role=joel

Key                             Value

---                             -----

token                           ee137d0e-fc31-6180-b92e-cf7a5020d7a3

token_accessor                  975c7389-d1b5-9c33-d083-18d53977b217

token_duration                  768h0m0s

token_renewable                 true

token_policies                  [default]

token_meta_account_id           "123456789012"

token_meta_auth_type            "iam"

token_meta_canonical_arn        "arn:aws:iam::123456789012:user/user"

token_meta_client_arn           "arn:aws:iam::123456789012:user/user"

token_meta_client_user_id       "AIDAXXXXXXXXXXXX"

token_meta_inferred_aws_region  ""

token_meta_inferred_entity_id   ""

token_meta_inferred_entity_type ""

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7d78a3dc-e8bf-44d2-a50a-e9ed91d174fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.