search

spring-projects / spring-vault

Provides familiar Spring abstractions for HashiCorp Vault
https://spring.io/projects/spring-vault
Apache License 2.0
283 stars 186 forks source link

AWS vault spring boot error making upstream request: received error code 403 from STS #885

Open sebastianreloaded opened 3 weeks ago

sebastianreloaded commented 3 weeks ago

Hello, i use vault v1.17.5 and org.springframework.vault:spring-vault-core:3.1.2

When using kv_v1 secrets i get an error after 6 hours and i don’t know why. Until the 6 hour mark the kv-secrets are refreshed regularly and auth/token/renew-self and auth/aws-iam/login are called successfully every 1 hour.

But after 6 hours i get “error making upstream request: received error code 403 from STS: The security token included in the request is expired”:

{
    "auth": {
        "policy_results": {
            "allowed": true
        },
        "token_type": "default"
    },
    "request": {
        "data": {
            "iam_http_request_method": "POST",
            "iam_request_body": "QWNwNi0xNQ==",
            "iam_request_headers": "eyJBdJdfQ==",
            "iam_request_url": "aHR0vbS8=",
            "role": "studiomiddleware-api-dev"
        },
        "id": "1bf4dec9-203d-64b7-faa7-72abdcd5316f",
        "mount_accessor": "auth_aws_ec607cf2",
        "mount_class": "auth",
        "mount_point": "auth/aws-iam/",
        "mount_running_version": "v1.17.5+builtin.vault",
        "mount_type": "aws",
        "namespace": {
            "id": "root"
        },
        "operation": "update",
        "path": "auth/aws-iam/login",
        "remote_address": "10.61.72.126",
        "remote_port": 57848
    },
    "response": {
        "data": {
            "error": "error making upstream request: received error code 403 from STS: <ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <Error>\n    <Type>Sender</Type>\n    <Code>ExpiredToken</Code>\n    <Message>The security token included in the request is expired</Message>\n  </Error>\n  <RequestId>52673536-1adc-4942-b253-7e09ed4d24aa</RequestId>\n</ErrorResponse>\n"
        },
        "mount_accessor": "auth_aws_ec607cf2",
        "mount_class": "auth",
        "mount_point": "auth/aws-iam/",
        "mount_running_plugin_version": "v1.17.5+builtin.vault",
        "mount_type": "aws"
    },
    "time": "2024-09-20T17:47:55.325205678Z",
    "type": "response"
}

This doesnt correspond to the ttl of the “aws-iam” auth backend which is set to 3 hours and also not to the roles STS 1 hour maximum ttl.

I don’t understand where this 6 hour expiration comes from. Anybody have an idea?