Open mikeadityas opened 5 years ago
@mikeadityas thanks for posting all this information! Since the error is coming back from the Alicloud API, my suspicion is that the access_key
and secret_key
in the configuration don't qualify to assume the role given in the role_arn
.
To test the AssumeRole method during development, in RAM roles, this was the policy on the role being assumed, named "hastrustedactors":
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::5138828231865461:root"
]
}
}
],
"Version": "1"
}
And the role being used was:
vault write alibaba/role/role-based \
role_arn='acs:ram::5138828231865461:role/hastrustedactors'
Would it be possible for you to check through that relationship more? Or to perhaps start with higher level permissions on the test pair, and then to back the permissions down to your current permission levels? Not sure what level of control you have in your test environment.
@tyrannosaurus-becks thanks for the reply! Unfortunately, I still got the same error. As I mentioned earlier, I've tried using the same credentials on aliyun-cli
and it generated the dynamic credentials without any problem.
Ah, so you're able to assume that role from the CLI? Is the CLI using the same Aliyun access key and secret key as is in the Vault config?
Yes, the credentials used in CLI is the same as in the Vault config.
Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!
Describe the bug When trying to generate Alicloud RAM credentials using STS AssumeRole method, the API returns this error:
On Alicloud side, I've configured these things:
RAM user to be used by Vault user: vaulttest
Policies attached to the RAM user Custom policy config:
RAM roles to be assumed ARN: acs: ram::12345:role/ossfullaccess Trust Policy Config:
It only has one system Policy attached (AliyunOSSFullAccess):
Vault side configuration:
vault read -format=json alicloud/role/test
I've tried using the credentials of
vaulttest
user directly onaliyun-cli
and it returned the dynamic credentials without problem.To Reproduce Steps to reproduce the behavior:
Generate the necessary RAM user, Custom Policy to assume role, and RAM roles with proper trust actor
Run
vault secrets enable alicloud
Run
(change RAM_USER_ACCESS_KEY_ID and RAM_USER_ACCESS_KEY_SECRET with proper credentials generated earlier)
Run
(change UID and ROLE_NAME with proper values generated earlier)
Run
vault read alicloud/creds/test
Error mentioned above will be returned here
Expected behavior It should return a set of dynamic Alicloud RAM credentials
Environment:
vault status
): 1.0.2vault version
): 1.0.2Vault server configuration file(s):
Additional context None