search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.98k stars 4.19k forks source link

Vault client should use AWS-SDK default credential chain when using AWS auth method in iam mode #12568

Open reegnz opened 3 years ago

reegnz commented 3 years ago

Is your feature request related to a problem? Please describe. I have tried vault with multiple credential retrieval methods that the AWS SDK natively supports, namely:

  1. ~/.aws/config with source_profile + using the AWS_PROFILE environment variable -> doesn't work
  2. using ~/.aws/config with 'credential_process' -> doesn't work
  3. looking at the code ECS container credentials would also not work

The first two I'm using in testing my aws roles, the last one is for using vault client in ECS.

Describe the solution you'd like Instead of vault client using it's own credential chain, use to the AWS SDK default credential chain. If the user specifies their access keys explicitly (eg. through args), only then use custom credential chain.

See https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials on what the recommended way of using the AWS SDK is.

Describe alternatives you've considered I wrote a python script to wrap vault, so that I can utilize the default credential chain. It looks like this (calling it vault-aws-fix:

#!/usr/bin/env python3
import os
import sys

import boto3

session = boto3.session.Session()

creds = session.get_credentials()
creds = creds.get_frozen_credentials()

os.environ["AWS_ACCESS_KEY_ID"] = creds.access_key
os.environ["AWS_SECRET_ACCESS_KEY"] = creds.secret_key
os.environ["AWS_SESSION_TOKEN"] = creds.token

os.system(" ".join(sys.argv[1:]))

and using it like this:

vault-aws-fix vault login -method=aws -role=myrole
shivshav commented 1 year ago

I'm wondering if there's been any movement on this. We're trying to set up AWS auth as well for CLI usage and running into issues with our setup. We currently use method 2 outline above for talking to AWS (credential_process) and running vault login -method=aws role=<role> region=<region> just gives us the following output with no additional information.

Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Worth noting that I can use the AWS CLI with no issues using the same setup

jorhett commented 10 months ago

Vault is using an ancient version of the aws-sdk. There are numerous bug fixes in recent versions, including this config parsing issue https://github.com/aws/aws-sdk-go/issues/4989 which is fixed by v1.45.15.

Related to #18375