vault aws auth method without access_key and secret key

[jej9...@gmail.com]

I am new to vault and trying to migrate from token authentication to aws auth via the iam auth type - however, company policy prevents the use of the access_key and secret key.  I am following the cli steps from here:https://www.vaultproject.io/docs/auth/aws.html - except I omitted the write of the keys - so I did the following:

vault auth enable aws

vault write auth/aws/role/dev-role-iam auth_type=iam bound_iam_principal_arn=arn:aws:iam::203948755:role/MyAwsRole policies=prod max_ttl=500

I did not write the server header id as it appears to be optional.

This does not seem to be working, and indeed it looks too sparse for it to work. Could anyone suggest the step(s) I am missing?

Thanks in advance for all assistance.

[Jeff Mitchell]

Hi there,

Vault will look for creds in access_key/secret_key, environment variables, ~/.aws/credentials, and IAM instance profile in that order. If things aren't working, perhaps one of those other values is populated, or you have no instance profile assigned?

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/be29b72c-68d8-49c4-b6a0-51225741e0e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jej9...@gmail.com]

Thanks Jeff;

Here's what a test looks like:

vault login -method=aws role=dev-role-iam

Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated.

        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

This appears to me to mean a search for keys was executed (even though this is not what I wanted?

Pardon my lack of knowledge here :)

[Jeff Mitchell]

Hi there,

The credential chain comes from the aws sdk, and it's those four things I mentioned. It seems like you have no credentials in any of those four locations, so it can't auth.

Best,

Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/16451131-78e6-4be0-9cbd-61f56cabb67f%40googlegroups.com.

[jej9...@gmail.com]

Thanks Jeff,

THE ECS task role is included in the chain, correct?

"This assumes you have AWS credentials configured in the standard locations AWS SDKs search for credentials 

(environment variables, ~/.aws/credentials, IAM instance profile, or ECS task role, in that order)."

J

[Stephen J. Butler]

Yes, I've used it with the ECS task role.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ccd272e8-6b48-40a9-87a0-363e9777c7c5%40googlegroups.com.

[Jay Johnson]

Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAD4ANxWemJJ%2BVTYMNDqeYFBAVWfNFacvD4-2Uz-JTa9qyJ6%3DWw%40mail.gmail.com.