AWS Secrets Engine - Root IAM credentials can't be rotated with the `region` parameter set and AWS credentials can't be generated without the `region` parameter set. #22601
The reason is that for sts_endpoint we use proxies, let's say:
sts_endpoint = "sts.proxy.com"
And since we use these proxies, we cannot specify the AWS region in the sts_endpoint as sts.${aws_region}.amazonaws.com but, we can use the region parameter, say:
region = "eu-west-1"
Now here we run into the problem, if we specify the region parameter then we will not be able to rotate the root IAM credentials.
If we do not specify the region parameter we will be able to rotate the root IAM credentials but the generation of credentials and roles (assumed_role, federation_token or iam_user) will fail because no region is found
We are not sure if this is intentional or a bug, but we believe that having the sts_region parameter may fix our problem.
Describe the solution you'd like
We would like to be able to use the sts_region parameter in the AWS Vault secrets engine.
Additional context
The error message for when we try to rotate credentials with the region set or generate AWS credentials without the region parameter set is the same:
{
"errors": [
"1 error occurred:
* error calling GetUser: SignatureDoesNotMatch: Credential should be scoped to a valid region.
status code: 403,
request id: 97c6347f-xxx-xxxx-xxxx-xxxxx1900d"
]
}
Is your feature request related to a problem? Please describe.
We have found the need to add the
sts_region
parameter to the AWS secret engine just as it is already available in the AWS auth method. Currently only these parameters exist: https://developer.hashicorp.com/vault/api-docs/secret/aws#parametersThe reason is that for
sts_endpoint
we use proxies, let's say:And since we use these proxies, we cannot specify the AWS region in the
sts_endpoint
assts.${aws_region}.amazonaws.com
but, we can use theregion
parameter, say:Now here we run into the problem, if we specify the
region
parameter then we will not be able to rotate the root IAM credentials. If we do not specify theregion
parameter we will be able to rotate the root IAM credentials but the generation of credentials and roles (assumed_role, federation_token or iam_user) will fail because no region is foundWe are not sure if this is intentional or a bug, but we believe that having the
sts_region
parameter may fix our problem.Describe the solution you'd like
We would like to be able to use the
sts_region
parameter in the AWS Vault secrets engine.Additional context
The error message for when we try to rotate credentials with the
region
set or generate AWS credentials without theregion
parameter set is the same: