search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
273 stars 152 forks source link

How to change region when using IAM authentication #523

Closed luckypolaris closed 3 years ago

luckypolaris commented 3 years ago

Describe the bug Please provide details of the problem, including the version of Spring Cloud that you are using.

version: spring cloud vault 1.1.1

Sample If possible, please provide a test case or sample application that reproduces the problem. This makes it much easier for us to diagnose the problem and to verify that we have fixed it.

I try to using the AWS-IAM authentication with vault server then in bootstrap i defined :

spirng.cloud.vault:
      uri: ${VAULT_URI} #vault address
      config:
        order: -10
      authentication: AWS_IAM
      aws-iam:
        role: dev-role-iam
        aws-path: aws
      generic:
        enabled: true
        backend: secret
        profile-separator: /
        default-context: demo

I get an exception when starting the application 

org.springframework.vault.VaultException: Cannot login using AWS-IAM: error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'us-east-1'. </Message>
  </Error>
  <RequestId>a701528a-a2bb-4814-92f7-951b15bbef29</RequestId>
</ErrorResponse>

    at org.springframework.vault.authentication.AwsIamAuthentication.createTokenUsingAwsIam(AwsIamAuthentication.java:149)
.......

in my case , the EC2 are in 'cn-northwest-1' region. How to change the region if use IAM authentication?

mp911de commented 3 years ago

AwsIamAuthentication handles authentication and as far as I know, it's not aware of any region at all. Maybe the region is encoded in the endpoint URI (https://sts.amazonaws.com/) or within AWSCredentialsProvider.

Looking at the Vault docs, there should be a way to specify the region (at leat the CLI provides a region option):

The region used defaults to us-east-1, but you can specify a custom region like so:

$ vault login -method=aws region=us-west-2 role=dev-role-iam
mp911de commented 3 years ago

Looking at the Amazon docs, it should be possible to set the Endpoint URI to https://sts.eu-west-1.amazonaws.com to include the region identifier (e.g. spring.cloud.vault.aws-iam.endpoint-uri: https://sts.cn-northwest-1.amazonaws.com)

luckypolaris commented 3 years ago

Looking at the Amazon docs, it should be possible to set the Endpoint URI to https://sts.eu-west-1.amazonaws.com to include the region identifier (e.g. spring.cloud.vault.aws-iam.endpoint-uri: https://sts.cn-northwest-1.amazonaws.com)

Thanks bro, Looking at spring cloud vault docs , spring.cloud.vault.aws-iam.endpoint-uri was supported since v2.2

harshitdx29 commented 3 years ago

Hi @mp911de Can this be supported for spring boot 1.X? I think spring cloud vault 2.X needs spring boot 2.X?

mp911de commented 3 years ago

You should be able to register a custom ClientAuthentication bean in the bootstrap context. Spring Cloud Vault 1.x is end of life and not maintained anymore.

harshitdx29 commented 3 years ago

but spring cloud vault 2.X is not supported with spring boot 1.X :(

luckypolaris commented 3 years ago

You should be able to register a custom ClientAuthentication bean in the bootstrap context. Spring Cloud Vault 1.x is end of life and not maintained anymore.

@mp911de I was try to register a custom ClientAuthentication to support specify Endpoint_uri , It's working fine . I think this issue can be closed,Thanks again bro.