Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault client should use AWS-SDK default credential chain when using AWS auth method in iam mode #12568

Open
reegnz opened this issue Sep 16, 2021 · 2 comments
Open

Vault client should use AWS-SDK default credential chain when using AWS auth method in iam mode #12568

reegnz opened this issue Sep 16, 2021 · 2 comments
Labels
auth/aws ecosystem

Comments

@reegnz
Copy link

reegnz commented Sep 16, 2021

Is your feature request related to a problem? Please describe.
I have tried vault with multiple credential retrieval methods that the AWS SDK natively supports, namely:

  1. ~/.aws/config with source_profile + using the AWS_PROFILE environment variable -> doesn't work
  2. using ~/.aws/config with 'credential_process' -> doesn't work
  3. looking at the code ECS container credentials would also not work

The first two I'm using in testing my aws roles, the last one is for using vault client in ECS.

Describe the solution you'd like
Instead of vault client using it's own credential chain, use to the AWS SDK default credential chain.
If the user specifies their access keys explicitly (eg. through args), only then use custom credential chain.

See https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials on what the recommended way of using the AWS SDK is.

Describe alternatives you've considered
I wrote a python script to wrap vault, so that I can utilize the default credential chain.
It looks like this (calling it vault-aws-fix:

#!/usr/bin/env python3
import os
import sys

import boto3

session = boto3.session.Session()

creds = session.get_credentials()
creds = creds.get_frozen_credentials()

os.environ["AWS_ACCESS_KEY_ID"] = creds.access_key
os.environ["AWS_SECRET_ACCESS_KEY"] = creds.secret_key
os.environ["AWS_SESSION_TOKEN"] = creds.token

os.system(" ".join(sys.argv[1:]))

and using it like this:

vault-aws-fix vault login -method=aws -role=myrole
@shivshav
Copy link

shivshav commented May 25, 2023
edited
Loading

I'm wondering if there's been any movement on this. We're trying to set up AWS auth as well for CLI usage and running into issues with our setup. We currently use method 2 outline above for talking to AWS (credential_process) and running vault login -method=aws role=<role> region=<region> just gives us the following output with no additional information.

Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Worth noting that I can use the AWS CLI with no issues using the same setup

@jorhett
Copy link

jorhett commented Nov 15, 2023

Vault is using an ancient version of the aws-sdk. There are numerous bug fixes in recent versions, including this config parsing issue aws/aws-sdk-go#4989 which is fixed by v1.45.15.

Related to #18375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/aws ecosystem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jorhett @reegnz @shivshav @heatherezell