arn:aws:iam::123456789012:role/vault-ec2-role
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::vault-resources", "arn:aws:s3:::vault-data" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::vault-resources/resources/*" }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::vault-data/*" }, { "Sid": "", "Effect": "Allow", "Action": "dynamodb:*", "Resource": [ "arn:aws:dynamodb:eu-west-1:123456789012:table/vault-ha-coordination/*", "arn:aws:dynamodb:eu-west-1:123456789012:table/vault-ha-coordination" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:DescribeKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:eu-west-1:123456789012:key/xxxxx-yyyyy-abcd-1234-567890" } ]}
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "sts:AssumeRole", "ec2:DescribeInstances", "iam:GetInstanceProfile", "iam:GetUser", "sts:GetCallerIdentity" ], "Resource": "*" } ]}
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::user-data-deploy" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::user-data-deploy/*" ] } ]}
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration" ], "Resource": "arn:aws:s3:::vault-data" }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:GetObjectVersionAcl", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::vault-data/*" }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource": "arn:aws:s3:::vault-data-dr/*" } ]}
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration" ], "Resource": "arn:aws:s3:::vault-resources" }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:GetObjectVersionAcl", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::vault-resources/resources/*" }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource": "arn:aws:s3:::vault-resources-dr/resources/*" } ]}
$ vault auth enable aws
Success! Enabled aws auth method at: aws/
$ vault write auth/aws/role/xy auth_type=iam policies=policy max_ttl=180h bound_iam_principal_arn=arn:aws:iam::123456789012:*
Success! Data written to: auth/aws/role/xy
$ vault login -method=aws header_value=https://vault.domain.net role=xy
Error authenticating: Error making API request.
URL: PUT https://domain.net/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message>
</Error>
<RequestId>x-y-z-a-bcde</RequestId>
</ErrorResponse>
$ printenv | grep AWSAWS_ACCESS_KEY=AKIAAWS_SECRET_KEY=xyzAWS_REGION=eu-west-1
$ vault login -method=aws header_value=https://vault.domain.net role=vault-ec2-role
Error authenticating: Error making API request.
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>SignatureDoesNotMatch</Code> <Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message> </Error>
<RequestId>1-2-3-4-5</RequestId></ErrorResponse>
$ vault login -method=aws header_value=https://vault.domain.net role=vault-ec2-role region=eu-west-1
Error authenticating: Error making API request.
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>SignatureDoesNotMatch</Code> <Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message> </Error>
<RequestId>1-2-3-4-5</RequestId></ErrorResponse>
$ vault login -method=aws header_value=https://vault.domain.net role=vault-ec2-role -region=eu-west-1
Error authenticating: Error making API request.
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>SignatureDoesNotMatch</Code> <Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message> </Error>
<RequestId>1-2-3-4-5</RequestId></ErrorResponse>
$ vault login -method=aws header_value=vault.domain.net role=vault-ec2-role
Error authenticating: Error making API request.
Code: 400. Errors:
* error looking up full ARN of entity &{aws 123456789012 user kamil.x_y }: error creating IAM client: unable to fetch current caller: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'ap-southeast-1'. status code: 403, request id: 308529fe-df7d-11e9-a831-811e2cea1d70
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/fea8f5c4-1853-429b-9449-31e454ff03ea%40googlegroups.com.
$ vault login -method=aws header_value=vault.domain.net role=x region=eu-west-1
Error authenticating: Error making API request.
URL: PUT https://vault.domain.net/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'eu-west-1'. </Message>
</Error>
<RequestId>b7f1a7a2-dfab-11e9-a411-d5eb5055ab90</RequestId>
</ErrorResponse>
$ vault login -method=aws header_value=vault.domain.net role=x region=eu-west-1
Error authenticating: Error making API request.
URL: PUT https://vault.domain.net/v1/auth/aws/login Code: 400.
Errors:
* error looking up full ARN of entity &{aws 123456789012 user kamil.x_y }: error creating IAM client: unable to fetch current caller: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'ap-southeast-1'.
status code: 403, request id: ce131761-dfab-11e9-a12d-d390132286d5
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/23820256-6f8b-4961-9ade-bfdce72436b9%40googlegroups.com.
$ vault read auth/aws/role/x
Key Value
--- -----
allow_instance_migration false
auth_type iam
bound_account_id [123456789012]
bound_ami_id []
bound_ec2_instance_id <nil>
bound_iam_instance_profile_arn []
bound_iam_principal_arn [arn:aws:iam::123456789012:role/*]
bound_iam_principal_id []
bound_iam_role_arn []
bound_region []
bound_subnet_id []
bound_vpc_id []
disallow_reauthentication false
inferred_aws_region eu-west-1
inferred_entity_type ec2_instance
max_ttl 180h
policies [x]
resolve_aws_unique_ids true
role_id 1-2-3-4-5
role_tag n/a
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 180h
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [devops]
token_ttl 0s
token_type default
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CANOW0dV%2BjbAXDkNWWCYdj8AOCG27Vf8R2DxkzUN1Q8XJTP3fVw%40mail.gmail.com.
Yes, both are 1.2.1. Server is running in AWS while the client is on my laptop.Sent from my mobile.
Tel. / Signal. +44 758 306 8467
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/23820256-6f8b-4961-9ade-bfdce72436b9%40googlegroups.com.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
$ printenv | grep AWSAWS_REGION=us-east-1
$ vault auth enable aws
Success! Enabled aws auth method at: aws/
$ vault write auth/aws/config/client secret_key=xyz access_key=abcdSuccess! Data written to: auth/aws/config/client
$ vault write auth/aws/role/role_name_corresponding_to_the_one_in_aws auth_type=iam policies=policy max_ttl=180h bound_iam_principal_arn=arn:aws:iam::123456789012:role/*Success! Data written to: auth/aws/role/role_name_corresponding_to_the_one_in_aws
$ vault login -method=aws role=role_name_corresponding_to_the_one_in_aws header_value=vault.domain.netSuccess! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login"again. Future Vault requests will automatically use this token.
WARNING! The following warnings were returned from Vault:
* TTL of "192h0m0s" exceeded the effective max_ttl of "180h0m0s"; TTL value is capped accordingly
Key Value--- -----token s.dssdfsdftoken_accessor sdsdfdfgetoken_duration 180htoken_renewable truetoken_policies ["default" "policy"]identity_policies []policies ["default" "policy"]token_meta_client_arn arn:aws:sts::123456789012:assumed-role/role_name_corresponding_to_the_one_in_aws/i-0123sdsdftoken_meta_client_user_id AROXXXtoken_meta_inferred_entity_id n/atoken_meta_inferred_entity_type n/atoken_meta_role_id asdsadasd-asasd-asdasd-asdasd-asdasdtoken_meta_account_id 123456789012token_meta_auth_type iamtoken_meta_canonical_arn arn:aws:iam::123456789012:role/role_name_corresponding_to_the_one_in_awstoken_meta_inferred_aws_region n/a
$ vault login -method=aws header_value=vault.domain.net role=role_name_corresponding_to_the_one_in_aws
Error authenticating: Error making API request.
Code: 400. Errors:
* IAM Principal "arn:aws:iam::123456789012:user/kamil.x_y" does not belong to the role "role_name_corresponding_to_the_one_in_aws"
$ vault delete auth/aws/role/role_name_corresponding_to_the_one_in_awsSuccess! Data deleted (if it existed) at: auth/aws/role/role_name_corresponding_to_the_one_in_aws$ vault delete auth/aws/role/xyzSuccess! Data deleted (if it existed) at: auth/aws/role/xyz
$ vault read auth/aws/role/xyz
Key Value--- -----allow_instance_migration falseauth_type iam
bound_account_id []bound_ami_id []bound_ec2_instance_id <nil>bound_iam_instance_profile_arn []bound_iam_principal_arn [arn:aws:iam::123456789012:role/*]
bound_iam_principal_id []bound_iam_role_arn []bound_region []bound_subnet_id []bound_vpc_id []disallow_reauthentication false
inferred_aws_region n/ainferred_entity_type n/amax_ttl 180hpolicies [xyz]resolve_aws_unique_ids truerole_id 2a17f9b5-fb16-f783-36f6-3e74227c95fc
role_tag n/atoken_bound_cidrs []token_explicit_max_ttl 0stoken_max_ttl 180htoken_no_default_policy falsetoken_num_uses 0token_period 0s
token_policies [xyz]token_ttl 0stoken_type default
$ vault read auth/aws/role/role_name_corresponding_to_the_one_in_aws
Key Value--- -----allow_instance_migration falseauth_type iam
bound_account_id []bound_ami_id []bound_ec2_instance_id <nil>bound_iam_instance_profile_arn []bound_iam_principal_arn [arn:aws:iam::123456789012:role/role_name_corresponding_to_the_one_in_aws]bound_iam_principal_id [AROXXX]
bound_iam_role_arn []bound_region []bound_subnet_id []bound_vpc_id []disallow_reauthentication false
inferred_aws_region n/ainferred_entity_type n/amax_ttl 180hpolicies [xyz]resolve_aws_unique_ids truerole_id 344dca2a-3763-ac98-c318-7643dca8acad
role_tag n/atoken_bound_cidrs []token_explicit_max_ttl 0stoken_max_ttl 180htoken_no_default_policy falsetoken_num_uses 0token_period 0s
token_policies [xyz]token_ttl 0stoken_type default
$ vault login -method=aws role=x-y-vault-ec2-role header_value=vault.domain.net
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
WARNING! The following warnings were returned from Vault:
* TTL of "192h0m0s" exceeded the effective max_ttl of "180h0m0s"; TTL value
is capped accordingly
Key Value
--- -----
token s.sdff
token_accessor sdfsdf
token_duration 180h
token_renewable true
token_policies ["default" "xyz"]
identity_policies []
policies ["default" "xyz"]
token_meta_inferred_entity_type n/a
token_meta_role_id 344dca2a-3763-ac98-c318-7643dca8acad
token_meta_auth_type iam
token_meta_canonical_arn arn:aws:iam::123456789012:role/role_name_corresponding_to_the_one_in_aws
token_meta_client_arn arn:aws:sts::123456789012:assumed-role/role_name_corresponding_to_the_one_in_aws/i-sdfdfds
token_meta_client_user_id AROXXXX
token_meta_inferred_entity_id n/a
token_meta_account_id 123456789012
token_meta_inferred_aws_region n/a
$ vault login -method=aws header_value=vault.domain.net role=x-y-vault-ec2-role
Error authenticating: Error making API request.
Code: 400. Errors:
* IAM Principal "arn:aws:iam::123456789012:user/kamil.x_y" does not belong to the role "x-y-vault-ec2-role"
$ aws iam list-attached-role-policies --role-name role_name_corresponding_to_the_one_in_aws{ "AttachedPolicies": [ { "PolicyName": "x-y-vault-ec2-policy", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-ec2-policy" }, { "PolicyName": "x-y-vault-aws-auth-policy", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-aws-auth-policy" }, { "PolicyName": "x-y-vault-user-data-policy", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-user-data-policy" }, { "PolicyName": "x-y-vault-aws-auth-policy-2", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-aws-auth-policy-2" } ]}
$ aws iam list-attached-user-policies --user-name kamil.x_y{ "AttachedPolicies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" }, { "PolicyName": "IAMUserChangePassword", "PolicyArn": "arn:aws:iam::aws:policy/IAMUserChangePassword" }, { "PolicyName": "Vault-any-role-access", "PolicyArn": "arn:aws:iam::123456789012:policy/Vault-any-role-access" }, { "PolicyName": "x-y-vault-ec2-policy", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-ec2-policy" }, { "PolicyName": "x-y-vault-aws-auth-policy", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-aws-auth-policy" }, { "PolicyName": "x-y-vault-user-data-policy", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-user-data-policy" }, { "PolicyName": "x-y-vault-aws-auth-policy-2", "PolicyArn": "arn:aws:iam::123456789012:policy/x-y-vault-aws-auth-policy-2" } ]}
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole",
"Resource": "*" } ]}
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": [ "iam:GetRole", "iam:GetUser" ], "Resource": [ "arn:aws:iam::*:user/*", "arn:aws:iam::*:role/*" ] } ]}
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"sts:GetCallerIdentity", "sts:AssumeRole" ], "Resource": "*" } ]}
{ "Role": { "Description": "allows the vault ec2 nodes to access resources", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ ] } } ] }, "MaxSessionDuration": 3600, "RoleId": "AROXXX", "CreateDate": "2019-09-05T14:41:26Z", "Tags": [ { "Value": "x-y", "Key": "Environment" }, { "Value": "domain.net", "Key": "Environment-FQDN" }, { "Value": "terraform", "Key": "Managed_by" }, { "Value": "services", "Key": "EnvironmentType" }, { "Value": "xyz", "Key": "Owner" } ], "RoleName": "x-y-vault-ec2-role", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/x-y-vault-ec2-role" }}
$ vault write auth/aws/role/x auth_type=iam policies=devops max_ttl=180h bound_iam_principal_arn=arn:aws:iam::123456789012:user/*
Success! Data written to: auth/aws/role/x
$ vault login -method=aws role=x header_value=vault.domain.net
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
WARNING! The following warnings were returned from Vault:
* TTL of "192h0m0s" exceeded the effective max_ttl of "180h0m0s"; TTL value
is capped accordingly
Key Value
--- -----
token s.asd
token_accessor asd
token_duration 180h
token_renewable true
token_policies ["default" "devops"]
identity_policies []
policies ["default" "devops"]
token_meta_inferred_entity_type n/a
token_meta_role_id be3cd697-f2bc-7dc8-6b31-4c5e8c44f4d5
token_meta_client_arn arn:aws:iam::123456789012:user/kamil.x_y
token_meta_inferred_entity_id n/a
token_meta_canonical_arn arn:aws:iam::123456789012:user/kamil.x_y
token_meta_client_user_id AIDAXXXX
token_meta_inferred_aws_region n/a
token_meta_account_id 123456789012
token_meta_auth_type iam
$ vault write auth/aws/role/x auth_type=iam policies=devops max_ttl=180h bound_iam_principal_arn=arn:aws:iam::123456789012:user/kamil.x_y