Open SamuelM333 opened 3 years ago
This is an excellent question. Normally, you would be in control of both Vault's and its client's AWS accounts, however, in this case you only control the client's AWS account. Unfortunately, AFAIK this means you are unable to configure cross-account permissions as would normally be required. The only workaround I know for now is to set resolve_aws_unique_ids=false
when creating the role in Vault:
vault write auth/aws/role/vault-lambda-role \
auth_type=iam \
bound_iam_principal_arn="arn:aws:iam::***:role/vault-lambda-role" \
policies="serverless" \
ttl=1h \
resolve_aws_unique_ids=false
This does introduce a limitation; the ARN you reference for bound_iam_principal_arn
must be in the form you've given it, because the setting instructs Vault not to resolve ARNs into unique IDs and so it can only pattern match between the ARNs given to it. Vault still properly validates the identity of the role and it's still a secure option, just more restrictive in how you can configure it.
This is something that's been flagged internally for HCP Vault, and I can't give any timeframe, but I'm hopeful we'll be able to improve this UX in future.
In the meantime, I'm going to leave this issue open as a documentation issue, as it would be nice to surface this more easily for everyone.
Awesome, that did it! Thanks a lot!
This does introduce a limitation; the ARN you reference for
bound_iam_principal_arn
must be in the form you've given it
Does that mean that the ARN will be interpreted literally and won't accept wildcards (e.g. arn:aws:iam::***:role/vault*
)?
I've been searching for a solution for this exact scenario in our use case for probably the last 4 days. 🤦🏻♂️
Thanks for the detailed explanation and solution as well. Looking forward to keeping up with the updates on this one. ✨
Thanks for the ping on this. We also now have this learn tutorial, which could readily be adapted for vault-lambda-extension and makes an improvement on my previous comment: https://developer.hashicorp.com/vault/tutorials/cloud-ops/vault-auth-method-aws. I'll leave this issue open though as I'd like to adapt that content specifically for HCP Vault + the Lambda extension in the docs here
I'm following the quickstart and following this video AWS re:Invent - Using Vault with AWS Lambda and More with a Vault server hosted on Hashicorp Cloud Platform.
I'm stuck at the third step of the guide, running
vault write auth/aws/role/vault-lambda-role
Around the minute 16:12 of the video I linked a similar issue is mentioned, but the solution is not very clear.
These are the commands I ran:
Configure my Vault client
Enable AWS auth backend and configure it as the guide says
Add a config STS since my lambda and its role are not in the same account as my user:
Then run the final command from the guide
This is the assume role policy of my role:
I already tried allowing the assumed role from the error message, with no success:
Am I missing something? How do I allow the HCP Vault user to assume my lambda role? Any help would be appreciated. Thanks!