agcorreatech
commented
1 month ago Possible offending update in version 1.17.0 is this: auth/aws: add support for external_ids in AWS assume-role [GH-26628]
Open agcorreatech opened 1 month ago
agcorreatech
commented
1 month ago Possible offending update in version 1.17.0 is this: auth/aws: add support for external_ids in AWS assume-role [GH-26628]
jskilton
commented
1 month ago This broke for us too. 1.17 can no longer use the standard STS and assume role to use AWS AUTH engine. I had to put this into my TERRAFORM to create the AWS AUTH endpoints and STS roles, as the current HASHI TF provider does not even have "external_id" as a valid field for the STS backend config. (you can do it with the CLI, but not with the TF provider.)
I used the GENERIC to add the external_id to the STS config to get it working again.
`resource "vault_generic_endpoint" "aws" { count = local.aws.enabled == "true" ? length(local.aws.accounts) : 0 depends_on = [vault_aws_auth_backend_sts_role.role] path = "auth/aws/config/sts/${local.aws.accounts[count.index]}" ignore_absent_fields = true
data_json = <<EOT { "external_id": "123" } EOT }`
Sayrus
commented
1 month ago Hitting this issue as well, and with the same issue as @jskilton on the Terraform Provider. Overwriting the auth role to add external_id manually even if not required by the target STS fixes the issue.
The associated STS role must be configured to require the external ID.
So either the must here is a should, or there is another bug hidden that make it works.
I followed the code in the linked MR a bit, and shouldn't the default value passed to AWS here be nil if the value is unset instead of empty string? (https://github.com/aws/aws-sdk-go/blob/main/aws/credentials/stscreds/assume_role_provider.go#L162)
PJ1288
commented
1 month ago We are hitting the same issue with 1.17+ versions.
IAM client: InvalidParameter: 1 validation error(s) found. - minimum field size of 2, AssumeRoleInput.ExternalId.
micolun
commented
1 month ago Same here with Vault 1.17.1 after upgrading it from 1.16.2
I am using Vault terraform provider and logging in with AWS assumed role
│ Error: Error making API request.
│
│ URL: PUT https://vault-test.example.com/v1/auth/aws/master/login
│ Code: 400. Errors:
│
│ * error looking up full ARN of entity &{aws 1234567890123 assumed-role AWSReservedSSO_AdministratorAccess_3497746d3cd20e29 micolun} when attempting login for role "1234567890123": error creating IAM client: InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 2, AssumeRoleInput.ExternalId.This is not the first Vault issue related to AWS auth method I encountered. AWS assumed roles are poorly supported in Vault.
KalenWessel
commented
2 weeks ago Currently on Vault 1.17.2 and also hitting the same issue with AWS auth:
minimum field size of 2, AssumeRoleInput.ExternalId.Once I manually added the external_id authentication worked.
vault write auth/aws/config/sts/123456789 sts_role=arn:aws:iam::123456789:role/vault-cross-account external_id="123"Thanks https://github.com/hashicorp/vault/issues/27765#issuecomment-2231676052 for the suggestion. Would have been nice if the vault_aws_auth_backend_sts_role resource supported external_id
ttruong-actian
commented
6 days ago same issues for me
* unable to resolve ARN "arn:aws:iam::<accountId>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_aws-account-user_530707c917121354" to internal ID: InvalidParameter: 1 validation error(s) found.
- minimum field size of 2, AssumeRoleInput.ExternalId.
Describe the bug Unable to create/update AWS authentication role after 1.17.0 Error: unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found
To Reproduce Steps to reproduce the behavior:
Expected behavior After upgrading to version 1.17.0, the STS configuration requires the external_id parameter to be defined (even though it is defined in the documentation as an optional parameter). It is not possible to make changes to AWS authentication roles for accounts that already have the STS configuration defined.
Environment:
vault status): 1.17.0vault version): 1.17.0