Open adamrothman opened 1 year ago
I also can't get it to work with SSO, but in my case I can't get past
│ Error: Error making API request.
│
│ URL: PUT https://my-vault-address/v1/auth/aws/login
│ Code: 400. Errors:
│
│ * error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
│ <Error>
│ <Type>Sender</Type>
│ <Code>MissingAuthenticationToken</Code>
│ <Message>Request is missing Authentication Token</Message>
│ </Error>
│ <RequestId>17277c34-cbc3-4b08-aa0a-1cffbe4d98fe</RequestId>
│ </ErrorResponse>
│
│
│ with provider["registry.terraform.io/hashicorp/vault"],
│ on providers.tf line 7, in provider "vault":
│ 7: provider "vault" {
With this config
provider "vault" {
address = "https://my-vault-address/"
auth_login_aws {
aws_profile = "my-profile"
role = "aws-devops"
}
}
On AWS side I have this
[profile my-profile]
sso_start_url = https://my-sso.awsapps.com/start
sso_region = eu-central-1
sso_role_name = Admin
region = eu-central-1
output = json
sso_account_id = my-account-id
And in Vault auth configuration
resource "vault_auth_backend" "aws" {
type = "aws"
path = "aws"
}
resource "vault_aws_auth_backend_role" "aws_devops" {
backend = vault_auth_backend.aws.path
role = "devops"
auth_type = "iam"
bound_iam_principal_arns = ["AWS_SSO_ROLE_ARN"]
token_ttl = 28800 # 8 hours
token_max_ttl = 28800 # 8 hours
token_policies = ["vault-admin"]
}
Logging in through vault login doesn't work as well unless you export ACCESS and SECRET keys but I guess that is a known problem.
Here's my current solution to get around this issue
variable "vault_addr" {
default = "https://example.com:8200"
}
data "external" "session" {
program = ["python3", "-c", "import boto3; import json; print(json.dumps(boto3.Session().get_credentials().get_frozen_credentials()._asdict()))"]
}
provider "vault" {
address = var.vault_addr
auth_login_aws {
namespace = "admin"
role = "ops"
aws_access_key_id = data.external.session.result.access_key
aws_secret_access_key = data.external.session.result.secret_key
aws_session_token = data.external.session.result.token
aws_region = "us-east-1"
}
}
After almost 2 years, issue still ongoing with hashicorp/vault
4.2.0
Terraform Version
Affected Resource(s)
This is a problem with the provider itself, specifically the
auth_login_aws
block.Terraform Configuration Files
In a TF environment:
In
~/.aws/config
:Debug Output
N/A
Panic Output
N/A
Expected Behavior
Terraform should use the credentials from the specified AWS profile to auth to Vault.
Actual Behavior
Terraform does not use credentials from the specified AWS profile, instead falling back to the EC2 instance's role:
Steps to Reproduce
terraform plan
orterraform apply
Important Factoids
The Vault CLI also does not appear to support these kinds of profiles, i.e. running
AWS_PROFILE=my-sso-profile vault login -method=aws ...
doesn't work either.References
1086