Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

AWS IAM auth token fails to renew #2781

Closed
shayangz opened this issue May 30, 2017 · 4 comments
Closed

AWS IAM auth token fails to renew #2781

shayangz opened this issue May 30, 2017 · 4 comments
Milestone
0.7.3

Comments

@shayangz
Copy link

For auth tokens generated using aws iam auth type that have a bound iam profile instance we are not able to renew the tokens.

This is on Vault v0.7.2.

Auth role is defined as

$vault write auth/aws/role/iam-role auth_type=iam inferred_entity_type=ec2_instance inferred_aws_region=<region> bound_iam_instance_profile_arn=arn:aws:iam::<account-id>:instance-profile/<path> policies=dev bound_vpc_id=<vpc-id> max_ttl=24h

Successful auth happens

$vault auth -method=aws header_value=<header> role=iam-role

On inspecting the token, everything looks fine

$vault token-lookup
Key             	Value
---             	-----
accessor        	<guid>
creation_time   	1495943033
creation_ttl    	86400
display_name    	<display-name>
expire_time     	2017-05-29T03:43:53.150967985Z
explicit_max_ttl	0
id              	<guid>
issue_time      	2017-05-28T03:43:53.15096762Z
meta            	map[inferred_entity_type:ec2_instance account_id:<account-id> auth_type:iam canonical_arn:arn:aws:iam::<account-id>:role/<inferred-role> client_arn:arn:aws:sts::<account-id>:assumed-role/<inferred-role>/<instance-id> inferred_aws_region:<region> inferred_entity_id:<instance-id>]
num_uses        	0
orphan          	true
path            	auth/aws/#
policies        	[default dev]
renewable       	true
ttl             	86220

but when we attempt to renew the token

$vault token-renew
Error renewing token: Error making API request.

URL: PUT http://<vault-server-fqdn>:8200/v1/auth/token/renew-self
Code: 500. Errors:

* 1 error occurred:

* failed to renew entry: role no longer bound to arn "arn:aws:iam::<account-id>:role/<inferred-role>"

Interestingly even though the role uses bound_iam_instance_profile_arn, both in meta of the token and in the error message, the inferred role are reference.
@jefferai
Copy link
Member

jefferai commented Jun 3, 2017

@joelthompson Can you take a look?

@jefferai jefferai added this to the 0.7.3 milestone Jun 3, 2017
@joelthompson
Copy link
Contributor

@jefferai -- ack, will take a look.

@joelthompson
Copy link
Contributor

@shayangz, thanks for the bug report! I believe I've tracked this down to a bug which is triggered when you are using the iam auth type, inferring ec2_instance, and NOT specifying any bound_iam_principal_arn.

If this is critical for you, I believe you should be able to update your role to specify the bound_iam_principal_arn to match arn:aws:iam::<account-id>:role/<inferred-role>. I don't believe this will cause any security issues as you're experiencing a "fail closed" bug in ensuring that the bound_iam_principal_arn doesn't change -- I was being overly aggressive in ensuring it didn't change by breaking the use case where it was never set at all (and only relied on inferred bindings).

@jefferai -- I hope to have a public PR to fix this within the next day since it's a relatively simple fix.

joelthompson added a commit to joelthompson/vault that referenced this issue Jun 6, 2017
@joelthompson
Check if there's a bound iam arn when renewing
9df7ded 
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes hashicorp#2781
@joelthompson joelthompson mentioned this issue Jun 6, 2017
Merged
@shayangz
Copy link
Author

shayangz commented Jun 7, 2017

Thanks, @joelthompson. Your workout solves the issue for us now. Looking forward to the fix getting released.

jefferai pushed a commit that referenced this issue Jun 7, 2017
@joelthompson @jefferai
Check if there's a bound iam arn when renewing (#2819)
ee55e36 
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781
@flosell flosell mentioned this issue Sep 22, 2017
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.7.3
Development

No branches or pull requests
3 participants
@jefferai @joelthompson @shayangz