vault aws iam auth in AWS GovCloud "Security token included in request is invalid" error

276 views
Skip to first unread message

Meet vadaria

unread,
Feb 20, 2019, 3:28:54 PM2/20/19
to Vault
Hi, 
We are trying to setup AWS IAM Authentication method in GovCloud. We already have it running same setup in Normal AWS regions (us-east-1, us-west-2). Following same configuration is not working in GovCloud.
Error we are getting is, "InvalidClientTokenId" from STS


hvac.exceptions.InvalidRequest: error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">

  <Error>

    <Type>Sender</Type>

    <Code>InvalidClientTokenId</Code>

    <Message>The security token included in the request is invalid</Message>

  </Error>

  <RequestId>3e86d0d4-354c-11e9-aad4-13cc37897601</RequestId>

</ErrorResponse>



same error we are getting if we try to login using CLI.

Following same configuration as mentioned in official documents here https://www.vaultproject.io/docs/auth/aws.html 

has anyone ever configured this in GovCloud? is this auth method available in GovCloud or it's not included? Can someone please advise if there is special configuration required for GovCloud?

Thanks in advance!!!

- Meet

Joel Thompson

unread,
Feb 20, 2019, 5:08:55 PM2/20/19
to Vault
Hi Meet,

I suspect that you'll need to set the sts_endpoint parameter (https://www.vaultproject.io/api/auth/aws/index.html#sts_endpoint) to the STS endpoint URL for STS in the GovCloud region you (and your clients) will be using.

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/26995c9d-8e22-4d31-9576-8186f56c2a8c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages