Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

aws-iam auth backend: Renew-self fails when bound_iam_principal_arn is a role with a path #3368

Closed
flosell opened this issue Sep 22, 2017 · 4 comments
Closed

aws-iam auth backend: Renew-self fails when bound_iam_principal_arn is a role with a path #3368

flosell opened this issue Sep 22, 2017 · 4 comments

Comments

@flosell
Copy link

flosell commented Sep 22, 2017

tl;dr:
When validating renew-self requests for a token from the aws-iam auth backend, vault seems to compare the canonicalArn (which is stripped of the path) against whatever was configured as bound_iam_principal_arn (which might contain the path). This seems to be at least unintuitive.

Expected Behavior:
renew-self works when a complete ARN with a path (e.g. arn:aws:iam::account-id:role/something/some-role) was configured as bound_iam_principal_arn

Actual Behavior:

URL: PUT https://vaulthost:8200/v1/auth/token/renew-self
Code: 500. Errors:

* 1 error occurred:
* failed to renew entry: role no longer bound to arn "arn:aws:iam::account-id:role/some-role"

Steps to Reproduce:

  • enable the AWS IAM Auth Backend
  • create an AWS IAM Role that contains a path (e.g. something/some-role)
  • configure a mapping from this role to a policy in vault, use the ARN including the path (arn:aws:iam::account-id:role/something/some-role), e.g.
{
   "auth_type":"iam",
   "resolve_aws_unique_ids":true,
   "bound_iam_principal_arn": "arn:aws:iam::account-id:role/something/some-role",
   "policies": "some-policy",
   "max_ttl": "5m"
}
  • authenticate with vault using the role mentioned above
  • call renew-self
  • observe the error described above
  • change mapping by removing the path from the arn: "bound_iam_principal_arn": "arn:aws:iam::account-id:role/some-role",
  • authenticate and renew-self again, observe that all works fine.

Vault Version
Vault 0.7.3 in official Docker container

References

Workaround
Remove the path from the bound_iam_principal_arn.
@jefferai
Copy link
Member

I believe this was fixed somewhere in the 0.8.x series, can you try 0.8.3?

@flosell
Copy link
Author

flosell commented Sep 22, 2017

The only issue that looked related to me was #2781 that I felt dealt with a slightly different problem.

I'll see if I can find a way to reproduce the issue on 0.8.3

@flosell
Copy link
Author

flosell commented Sep 24, 2017

Looks like this was indeed fixed in 0.8.0, sorry for the noise!

Just out of curiosity, is #3012 the fix we are talking about?

In case anyone's interested, here is the a script to reproduce the bug and the fix: https://gist.github.com/flosell/f744110ab30bd16f679f8c7254c22d11

@flosell flosell closed this as completed Sep 24, 2017
@joelthompson
Copy link
Contributor

Yes, I believe that's the fix for your issue.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jefferai @flosell @joelthompson