search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

Provider's auth_login_aws block does not support AWS SSO profiles #1672

Open adamrothman opened 1 year ago

adamrothman commented 1 year ago

Terraform Version

Terraform v1.3.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.38.0
+ provider registry.terraform.io/hashicorp/vault v3.10.0

Affected Resource(s)

This is a problem with the provider itself, specifically the auth_login_aws block.

Terraform Configuration Files

In a TF environment:

provider "vault" {
  address         = "http://my.vault.host.com:8200"
  skip_tls_verify = true

  auth_login_aws {
    aws_profile  = "my-sso-profile"
    header_value = "a-cool-header-value"
    role         = "some-vault-role"
  }
}

In ~/.aws/config:

[profile my-sso-profile]
cli_pager =
region = us-east-1
sso_start_url = https://d-0000000000.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = AdministratorAccess

Debug Output

N/A

Panic Output

N/A

Expected Behavior

Terraform should use the credentials from the specified AWS profile to auth to Vault.

Actual Behavior

Terraform does not use credentials from the specified AWS profile, instead falling back to the EC2 instance's role:

╷
│ Error: Error making API request.
│
│ URL: PUT http://my.vault.host.com:8200/v1/auth/aws/login
│ Code: 400. Errors:
│
│ * IAM Principal "arn:aws:sts::123456789012:assumed-role/my-personal-host-role/i-00000000000000000" does not belong to the role "some-vault-role"
│
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on providers.tf line 7, in provider "vault":
│    7: provider "vault" {
│
╵

Steps to Reproduce

  1. Configure CLI profiles to use AWS SSO as in the example above (more info in AWS docs here)
  2. Attempt to terraform plan or terraform apply
  3. Error (as above)

Important Factoids

The Vault CLI also does not appear to support these kinds of profiles, i.e. running AWS_PROFILE=my-sso-profile vault login -method=aws ... doesn't work either.

References

vitali-raikov commented 1 year ago

I also can't get it to work with SSO, but in my case I can't get past

│ Error: Error making API request.
│ 
│ URL: PUT https://my-vault-address/v1/auth/aws/login
│ Code: 400. Errors:
│ 
│ * error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
│   <Error>
│     <Type>Sender</Type>
│     <Code>MissingAuthenticationToken</Code>
│     <Message>Request is missing Authentication Token</Message>
│   </Error>
│   <RequestId>17277c34-cbc3-4b08-aa0a-1cffbe4d98fe</RequestId>
│ </ErrorResponse>
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on providers.tf line 7, in provider "vault":
│    7: provider "vault" {

With this config

provider "vault" {
  address = "https://my-vault-address/"

  auth_login_aws {
    aws_profile = "my-profile"
    role        = "aws-devops"
  }
}

On AWS side I have this

[profile my-profile]
sso_start_url = https://my-sso.awsapps.com/start
sso_region = eu-central-1
sso_role_name = Admin
region = eu-central-1
output = json
sso_account_id = my-account-id

And in Vault auth configuration

resource "vault_auth_backend" "aws" {
  type = "aws"
  path = "aws"
}

resource "vault_aws_auth_backend_role" "aws_devops" {
  backend                  = vault_auth_backend.aws.path
  role                     = "devops"
  auth_type                = "iam"
  bound_iam_principal_arns = ["AWS_SSO_ROLE_ARN"]
  token_ttl                = 28800 # 8 hours
  token_max_ttl            = 28800 # 8 hours
  token_policies           = ["vault-admin"]
}

Logging in through vault login doesn't work as well unless you export ACCESS and SECRET keys but I guess that is a known problem.

xdays commented 3 months ago

Here's my current solution to get around this issue

      variable "vault_addr" {
        default = "https://example.com:8200"
      }

      data "external" "session" {
        program = ["python3", "-c", "import boto3; import json; print(json.dumps(boto3.Session().get_credentials().get_frozen_credentials()._asdict()))"]
      }

      provider "vault" {
        address = var.vault_addr
        auth_login_aws {
          namespace = "admin"
          role = "ops"
          aws_access_key_id = data.external.session.result.access_key
          aws_secret_access_key = data.external.session.result.secret_key
          aws_session_token = data.external.session.result.token
          aws_region = "us-east-1"
        }
      }
micolun commented 2 weeks ago

After almost 2 years, issue still ongoing with hashicorp/vault 4.2.0