Vault Provider Lacks IAM Assume Role Capability

[jschwartzy]

Terraform Version

Terraform v0.14.11

Affected Resource(s)

Vault Provider Authentication

Terraform Configuration Files

We have used an external script to generate credentials from sts for the assumed role:

data "external" "aws_auth" {
  program = ["${path.cwd}/../scripts/aws_auth.sh"]

  query = {
    role_arn   = var.assume_role_arn
    aws_region = var.aws_region
  }
}

provider "vault" {
  address         = "https://vault-server"
  skip_tls_verify = false
  namespace       = "namespace

  auth_login {
    path   = "auth/aws/login"
    method = "aws"

    parameters = {
      sts_region            = "us-east-1"
      aws_access_key_id     = data.external.aws_auth.result.AccessKeyId
      aws_secret_access_key = data.external.aws_auth.result.SecretAccessKey
      aws_security_token    = data.external.aws_auth.result.SessionToken
    }
  }
}

Debug Output

Panic Output

n/a

Expected Behavior

Vault Provider should work similarly to the AWS Provider and support assume role

Actual Behavior

Vault Provider supports credentials from ~/.aws/credentials (but not from source_profile) or explicitly passed credentials in the parameter configuration

Steps to Reproduce

1. terraform apply

Important Factoids

References

• Unable to login using local AWS profile with role_arn / source_profile and MFA vault#5767

[vinay-gopalan]

Hi @jschwartzy , thanks for submitting the issue. Would you mind sharing the output for the TF config file above? Thanks!

[emmaroberts-nbs]

I'm having the same issue.

My Tf code looks like this:

provider "vault" {
  address = "https://vault.example.com/"
  token_name = "test-local"
  namespace = "aws/test"
  auth_login {
    path = "auth/aws/login"
    method = "aws"
    namespace = "aws/test"
    parameters = {
      role = "test-role"
      sts_region="us-east-1"
    }
  }
}
data "vault_generic_secret" "test" {
  path = "secrets/test"
}

I have tried running the following with the following command
AWS_PROFILE=admin terraform apply

I am getting the following error:

[vinay-gopalan]

I'm having the same issue.

My Tf code looks like this:

provider "vault" {
  address = "https://vault.example.com/"
  token_name = "test-local"
  namespace = "aws/test"
  auth_login {
    path = "auth/aws/login"
    method = "aws"
    namespace = "aws/test"
    parameters = {
      role = "test-role"
      sts_region="us-east-1"
    }
  }
}
data "vault_generic_secret" "test" {
  path = "secrets/test"
}

I have tried running the following with the following command
AWS_PROFILE=admin terraform apply

I am getting the following error:

@emmaroberts-nbs I used your TF config file and was able to assume a role and login with AWS by running terraform apply. The only time I saw the error you were seeing is when I didn't have my AWS environment variables set. Can you confirm that you have those either in your terminal or in the ~/.aws/credentials file?

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

[jschwartzy]

Thanks for following up. In our case, the Vault Provider is unable to use a source_profile. We login with an SSO role then use an assumed role for our AWS/Vault interactions.

~/.aws/config :

> cat ~/.aws/config 
[profile arn:aws:iam::111111111111:role/role-name]
role_arn = arn:aws:iam::111111111111:role/role-name
role_session_name = role-session-name
source_profile = arn:aws:iam::111111111111:role/sso_role

~/.aws/credentials:

[arn:aws:iam::111111111111:role/sso_role]
output=json
region=us-west-2
aws_access_key_id=[an-access-key]
aws_secret_access_key=[a-secret-key]
aws_session_token=[a-session-token]
session_expiration=1631590398

Terraform Config:

provider "vault" {
  address         = "https://vault-address"
  skip_tls_verify = false
  namespace       = "vault/namespace"

  auth_login {
    path   = "auth/aws/login"
    method = "aws"

    parameters = {
      sts_region = "us-east-1"
      role       = "role-name"
    }
  }
}

data "vault_generic_secret" "a_secret" {
  path = "secret/path"
}

Output:

Error: Error making API request.

URL: PUT https://vault-address
Code: 400. Errors:

* IAM Principal "arn:aws:sts::111111111111:assumed-role/sso-role/user" does not belong to the role "role-name"

In this case role-name is bound in Vault and is expected to be assumed by the sso-role. To work around this issue, we have a script that explicitly generates credentials for the assumed role-name and then is passed to the Vault provider (as demonstrated in the first comment in this issue) :

aws --region "${AWS_DEFAULT_REGION}" sts assume-role \
                                     --duration-seconds 3600 \
                                     --role-arn "${ROLE_ARN}" \
                                     --role-session-name terraform-vault-iam-auth-session \
                                     | jq '.Credentials'

[vinay-gopalan]

Hi @jschwartzy thanks for the additional info. This issue was tracked in Vault instead of the Vault Provider for TF, and the bug was found and resolved down the ladder in the AWS util package hashicorp/go-secure-stdlib#11

[vinay-gopalan]

Closing this issue since fix was merged and should be released with Vault 1.9. Please feel free to open another issue if the problem persists, thanks!

[benashz]

We recommend using the first-class aws login support. See #1588 (comment) for related info.