Open T0tt1 opened 2 years ago
Hello! Can you please try to replicate this issue with a newer version of Vault? You can see the Vault releases available here: https://releases.hashicorp.com/vault/ As a general rule, we accept issues for versions "n-2", so we would accept issues of bug reports for version 1.7 or later. Thanks!
Hello! Can you please try to replicate this issue with a newer version of Vault? You can see the Vault releases available here: https://releases.hashicorp.com/vault/ As a general rule, we accept issues for versions "n-2", so we would accept issues of bug reports for version 1.7 or later. Thanks!
Thank you for the feedback, sir/madam!
Please find that the same issue has been observed after upgrading to version 1.9.0.
sh-4.2$ vault login -method=aws role=master-role
Error authenticating: context deadline exceeded
sh-4.2$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares obfuscated
Threshold obfuscated
Version 1.9.0
Storage Type dynamodb
Cluster Name vault-cluster
Cluster ID obfuscated
HA Enabled true
HA Cluster https://obfuscated:8201
HA Mode active
Active Since 2021-12-16T11:03:58.195799046Z
Thanks! I'll have someone take a look.
Also, looking at some resources for this issue, there might be a problem with network connectivity. Can you run curl $VAULT_ADDR/v1/sys/seal-status
from the node you're running the vault login from? You may also wish to increase the client timeout, like so: export VAULT_CLIENT_TIMEOUT=300s
Let me know if either of those work for you!
Also, looking at some resources for this issue, there might be a problem with network connectivity. Can you run
curl $VAULT_ADDR/v1/sys/seal-status
from the node you're running the vault login from? You may also wish to increase the client timeout, like so:export VAULT_CLIENT_TIMEOUT=300s
Let me know if either of those work for you!
Thank you for your suggestion. There is no issue with the network connectivity. Please check below:
sh-4.2$ curl $VAULT_ADDR/v1/sys/seal-status
{"type":"shamir","initialized":true,"sealed":false,"t":obfuscated,"n":obfuscated,"progress":0,"nonce":"","version":"1.9.0","migration":false,"cluster_name":"vault-cluster","cluster_id":"obfuscated","recovery_seal":true,"storage_type":"dynamodb"}
sh-4.2$
Response is received immediately after executing the curl command hence no need to update the timeout period.
In some cases, we've seen where the request to AWS may be not responding within the timeout period, which is why I recommend trying to increase that value. Please give it a try and let me know if it works. :)
In some cases, we've seen where the request to AWS may be not responding within the timeout period, which is why I recommend trying to increase that value. Please give it a try and let me know if it works. :)
Unfortunately proposed action is not working. I still think this is a bug and is not a misconfiguration on my end.
sh-4.2$ export PRIVATE_IP=$(dig +short obfuscated)
sh-4.2$ export VAULT_ADDR=https://$PRIVATE_IP:8200
sh-4.2$ vault login -method=aws header_value=$PRIVATE_IP role=master-role
Error authenticating: context deadline exceeded
sh-4.2$ export VAULT_CLIENT_TIMEOUT=300s
sh-4.2$ vault login -method=aws header_value=$PRIVATE_IP role=master-role
Error authenticating: Error making API request.
URL: PUT https://obfuscated:8200/v1/auth/aws/login
Code: 400. Errors:
* error looking up full ARN of entity &{aws obfuscated assumed-role obfuscated i-03_obfuscated}: error fetching role "obfuscated": RequestError: send request failed
caused by: Post https://iam.amazonaws.com/: dial tcp obfuscated:443: i/o timeout
sh-4.2$
Can you confirm that you can reach iam.amazonaws.com:443 from your host?
Can you confirm that you can reach iam.amazonaws.com:443 from your host?
I confirm that address is reachable.
sh-4.2$ telnet iam.amazonaws.com 443
Trying 52.46.155.37...
Connected to iam.amazonaws.com.
Escape character is '^]'.
Thanks, @T0tt1! I appreciate your patience. I'll see what we can find out from our side. :)
Did anything come of this? I'm hitting exactly this issue, with all the same diagnosis
Edit: I found out my issue was that I had set
resource "vault_aws_auth_backend_role" "nomad_client" {
...
inferred_aws_region = "us-east-1c"
}
This should actually have been us-east-1
Describe the bug Using server Vault v1.4.2. I am creating a role using type aws/iam. If I create a IAM role which do have role_path property and instance_profile_path property defined in Terraform, once I create in vault the role and make the boundary to the afore mentioned IAM role, I am unable to login in and getting the error
Error: context deadline exceeded
It works with arn:aws:iam::XXXXXXXX:role/staging-github-action-runners-runner-role-toad and getting the mentioned error while ARN looks like arn:aws:iam::XXXXXXXXXXX:role/hashicorp-manager/staging-github-action-runners-runner-role-toadTo Reproduce Steps to reproduce the behavior:
vault auth enable aws
vault write auth/aws/config/client sts_endpoint=https://sts.us-east-1.amazonaws.com sts_region=us-east-1
Root
EOF`
vault write \ auth/aws/role/master-role \ auth_type=iam \ policies=master-policy \ resolve_aws_unique_ids=false \ max_ttl=1h \ token_ttl=1h \ bound_iam_principal_arn=${runner_instance_profile_role}
vault login -method=aws role=master-role
Expected behavior No matter of the fact whether I do have role_path and instance_profile_path used while creating IAM role, once I provide the arn during the creation of role in Vault I must be able to login. Creating an IAM role with arn arn:aws:iam::XXXXXXXXXXX:role/hashicorp-manager/staging-github-action-runners-runner-role-toad and passing it via command:
vault write \ auth/aws/role/master-role \ auth_type=iam \ policies=master-policy \ resolve_aws_unique_ids=false \ max_ttl=1h \ token_ttl=1h \ bound_iam_principal_arn=${runner_instance_profile_role}
Should allow me to login just like this:
h-4.2$ vault login -method=aws role=master-role Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
Key Value
token obfuscated token_accessor obfuscated token_duration 1h token_renewable true token_policies ["default" "master-policy"] identity_policies [] policies ["default" "master-policy"] token_meta_account_id obfuscated token_meta_auth_type iam token_meta_role_id obfuscated sh-4.2$
Environment:
vault status
): sh-4.2$ vault status Key ValueRecovery Seal Type shamir Initialized true Sealed false Total Recovery Shares obfuscated Threshold obfuscated Version 1.4.2 Cluster Name vault-cluster Cluster ID obfuscated HA Enabled true HA Cluster https://obfuscated:8201 HA Mode active
vault version
): sh-4.2$ vault version Vault v1.4.2Vault server configuration file(s):
Additional context Add any other context about the problem here.