Open reegnz opened 3 years ago
I'm wondering if there's been any movement on this. We're trying to set up AWS auth as well for CLI usage and running into issues with our setup. We currently use method 2 outline above for talking to AWS (credential_process
) and running vault login -method=aws role=<role> region=<region>
just gives us the following output with no additional information.
Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Worth noting that I can use the AWS CLI with no issues using the same setup
Vault is using an ancient version of the aws-sdk. There are numerous bug fixes in recent versions, including this config parsing issue https://github.com/aws/aws-sdk-go/issues/4989 which is fixed by v1.45.15.
Related to #18375
Is your feature request related to a problem? Please describe. I have tried vault with multiple credential retrieval methods that the AWS SDK natively supports, namely:
The first two I'm using in testing my aws roles, the last one is for using vault client in ECS.
Describe the solution you'd like Instead of vault client using it's own credential chain, use to the AWS SDK default credential chain. If the user specifies their access keys explicitly (eg. through args), only then use custom credential chain.
See https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials on what the recommended way of using the AWS SDK is.
Describe alternatives you've considered I wrote a python script to wrap vault, so that I can utilize the default credential chain. It looks like this (calling it
vault-aws-fix
:and using it like this: