Confused around Vault AWS IAM Auth Backend

[joshwr...@gmail.com]

Hello All. 

I am confused around the Vault IAM Auth Backend and I am struggling to get it working. I keep getting `SignatureDoesNotMatch` error. i think it is to do with the iam_request_headers I am supplying, but not entirely sure how to generate the correct values for this. 

Any Help would be much appreciated. 

Thank You 

[Joel Thompson]

Hi,

It's somewhat complicated, and the best suggestion I have is to use the AWS SDKs in your language of choice to generate them for you. Here's a couple samples of how to generate them in Go (https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go -- the Vault CLI itself) and Python 2 and 3 (https://gist.github.com/joelthompson/378cbe449d541debf771f5a6a171c5ed).

The actual details of how to generate them yourself (and what the SDKs are doing under the hood for you) is in the Amazon docs at http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html -- but, I suggest trying to get the AWS SDK in your language of choice to just generate the headers for you.

Hope this helps,

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/22a62273-856c-4b4d-b022-3c57208badca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[anillingutla]

Joel, Iam new to vault development. iam tying to findout options to generate iam_request_headers and what are absolute needed variables to generate the signed headers. if there any any java api i might use it will shorten my development. Vault documentation absolutely skips this information for a newbie.

[Joel Thompson]

In terms of, "What are absolute needed variables to generate the signed headers" the short and literal answer is, "Whatever it takes to get AWS to accept the request when Vault forwards it on to AWS." I realize that's probably not too helpful to you, but it's important to understand that Vault just forwards these on to AWS and depends entirely on AWS to validate them (with the exception of the X-Vault-AWS-IAM-Server-ID header, which Vault validates but relies on AWS to validate the signature). So, the definitive answer is in the AWS documentation at http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html -- but, I realize it's pretty hard to follow.

As for Java, I unfortunately have very little experience with the AWS Java SDK, so I can't help much, but I suspect that there are methods in the AWS Java SDK that handle the request signing and header generation for you. That's what the python and golang examples I mentioned earlier do, and so I would think that the AWS Java SDK does something similar for you.

Another option would be to just shell out to the Vault CLI which already does this for you -- it might not be the prettiest option, but it might also just work so you don't have to worry about the intricacies of the AWS authentication protocol.

Hope this helps, and let me know if you have more questions!

--Joel

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/85f5618a-314b-42c6-b1ff-91784be26d83%40googlegroups.com.