ec2 auth with auth/aws/login fails
424 views
Skip to first unread message
t...@convoy.com
Feb 1, 2019, 7:54:45 PM2/1/19
to Vault
We're seeing the following error when doing `vault write auth/aws/login`
```
Error writing data to auth/aws/login: Error making API request.
Code: 400. Errors:
* failed to verify instance ID: error fetching description for instance ID "i-xxx": AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: 80e1cc4c-c723-42dd-96c8-9e09a5c56002
```
Anyone has seen this before? Nothing has changed on our end so unsure of why this is happening all of a sudden
We're running Vault (0.10.1) in HA mode with Consul backend
t...@convoy.com
Feb 1, 2019, 8:17:37 PM2/1/19
to Vault
Turned out our Vault master had a clock drift. After syncing the clock login works again.
Joel Thompson
Feb 1, 2019, 8:18:56 PM2/1/19
to Vault
Hi,
When you use the ec2 auth method, Vault needs to authenticate with AWS to validate that the EC2 instance ID corresponds to a valid EC2 instance. Your error message indicates that Vault is unable to authenticate with AWS when trying to validate the caller's instance ID. There are a number of reasons this could be, including, you've configured a bad AWS access key/secret key, the credentials you had configured Vault with have been revoked, the system clock on your Vault instance has drifted, etc. It's impossible to say without more information.
Hope this helps!
--Joel
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ba316304-9a95-4dfe-91ea-b870b371816b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages