Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to connect to the STS #11067

Closed
prassawant opened this issue Mar 9, 2021 · 15 comments
Closed

failed to connect to the STS #11067

prassawant opened this issue Mar 9, 2021 · 15 comments
Labels
auth/aws ecosystem/plugin ecosystem

Comments

@prassawant
Copy link

Describe the bug
I have installed Vault 1.6.2 , despite setting up sts_endpoint, sts_region and AWS_REGION=eu-west-2 (as mentioned in user guide and different blogs) the vault login method fails to get token
It throws the error following error
Error Authenticating: Error Making API request
URL PUT https://xxx.xx.local/v1/auth/aws/login
code: 400 Errors:

  • error making upstream request: received error code 403 from STS:
Sender SignatureDoesNotMatch Credential should be scoped to a valid region , not 'us-east-1'.

To Reproduce
Steps to reproduce the behavior:

  1. Run vault write ...
  2. Run vault login -method=aws header_value=iam_server_id_header_value role=myrole ....
  3. See error

Expected behavior
Should retrieve STS token

Environment:

  • Vault Server Version (retrieve with vault status): 1.6.2
  • Vault CLI Version (retrieve with vault version): 1.6.2
  • Server Operating System/Architecture: rhel 7.9

Vault server configuration file(s):

ui = true
listener "tcp" {
    address = "0.0.0.0:8200"
    tls_cert_file=/opt/vault.crt
    tls_key_file=/opt/vault.key
}
storage "dynamodb" {
  ha_enabled = "true"
  region = "eu-west-2"
  table = dydb-tablename
  read_capacity=10
  write_capcity=10
}
disable_mlock=true```

**Additional context**
Add any other context about the problem here.
@HridoyRoy
Copy link
Contributor

Hello,
You'd need to specify the region to which you are connecting. Please see https://www.vaultproject.io/docs/auth/aws for more details.
Thanks!

@prassawant
Copy link
Author

Please reopne , I have tried using region but it gives the same error
vault login -method=aws header_value=iam_server_id_header_value region=eu-west-2 role=myrole

@HridoyRoy
Copy link
Contributor

HridoyRoy commented Mar 19, 2021
edited
Loading

Reopening this issue as per @prassawant 's comment.

@prassawant what is your server side config?
Thanks!

@HridoyRoy HridoyRoy reopened this Mar 19, 2021
@prassawant
Copy link
Author

prassawant commented Mar 19, 2021
edited
Loading

Thanks for reopening
we are upgrading from v,0,10,0 to 1.6.2
Before creating endpoint we used to have proxy which directly connect to the sts.amazonaws.com with command
vault login -method=aws header_value=iam_server_id_header_value role=myrole (no auth_type mentioned we used iam ) .
I have also set the AWS_REGION=eu-west-2 after reading some other blogs but the instance is not able to authenticate with vault
STS endpoint is now available for eu-west-2 region so we want to shutdown the proxy and use this endpoint to retrieve the token
in log it still says returning cached client for region us-east-1 and stsRole arn:aws:iam::12345679012:role/role/role-ec2-vault-tf
I may have missing some parameter ...
server side configuration file as below
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file=/opt/vault.crt
tls_key_file=/opt/vault.key
}
storage "dynamodb" {
ha_enabled = "true"
region = "eu-west-2"
table = dydb-tablename
read_capacity=10
write_capcity=10
}
disable_mlock=true```

auth/aws/config/client
access_key n/a
allowed_sts_header_values
endpoint n/a
iam_endpoint n/a
iam_server_id_header_value iam_server_id_header_value
max_retries -1
sts_endpoint https://sts.eu-west-2.amazonaws.com
sts_region eu-west-2

@sriedel
Copy link

sriedel commented Apr 15, 2021

@prassawant I'm currently on a similar journey and I've just got my first successful AWS authentication with vault 1.5.x.

Comparing your aws client configuration with mine the main notable difference is that I have a value set for the 'endpoint' attribute. According to https://docs.aws.amazon.com/general/latest/gr/ec2-service.html this should probably be "ec2.eu-west-2.amazonaws.com" for you.

@prassawant
Copy link
Author

@sriedel that endpoint is for ec2 , I am working on enabling regional endpoint for sts
it's look like the code written for eu-west-2 region in default.go is not getting populated

@prassawant
Copy link
Author

I have raised the pull request (#11363)

@vishalnayak
Copy link
Contributor

@prassawant I've closed the PR quoting the need to make an upstream PR for the library.

@prassawant
Copy link
Author

prassawant commented Jun 9, 2021
edited
Loading

@vishalnayak raised another for library

@vishalnayak
Copy link
Contributor

Great!

@heatherezell
Copy link
Contributor

Since it's been a few months since there was last activity on this issue, I'll go ahead and close it now. If you have further bug reports, or more activity on this issue, please feel free to re-open it. Don't forget you can get help on our discuss forum, as well! https://discuss.hashicorp.com/c/vault/30

@cha7ri
Copy link

cha7ri commented Sep 3, 2021

We have a similar issue, we want to use the vpc endpoint to connect to the regional sts endpoint sts.eu-north-1.amazonaws.com instead of sts.amazonaws.com.
We set the aws auth config as below

"endpoint": "",
"iam_endpoint": "",
"iam_server_id_header_value": "",
"max_retries": -1,
"sts_endpoint": "https://sts.eu-north-1.amazonaws.com",
"sts_region": "eu-north-1"
}

but when I try to login I got this error

  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'us-east-1'. </Message>
  </Error>
  <RequestId>83ea068f-8748-41c1-b1b1-803d48dc04ec</RequestId>
</ErrorResponse>```

@rcousens
Copy link

@cha7ri Did you ever manage to resolve this? Struggling with the same. it's defaulting to us-east-1 no matter what I do.

I've tried:

  • region as parameter to vault cli login
  • AWS_REGION and AWS_DEFAULT_REGION set as environment variables for the vault server
  • sts_endpoint parameter set to another region

@mujina
Copy link

mujina commented May 6, 2022

I used this in my vault build and successfully retrieving tokens. Don't forget to also allow the relevant outbound access in your vault security group over HTTPS

vault write auth/aws/config/client sts_endpoint=https://sts.eu-west-2.amazonaws.com sts_region=eu-west-2 endpoint=ec2.eu-west-2.amazonaws.com

@oberones
Copy link

oberones commented Jul 26, 2022
edited
Loading

I was having this same issue with vault 1.9.3. I have configured my client like:

vault write auth/aws/config/client \
  endpoint=custom-endpoint.ec2.us-west-2.vpce.amazonaws.com \
  sts_endpoint=https://custom-endpoint.sts.us-west-2.vpce.amazonaws.com \
  sts_region=us-west-2

I configured my role like

vault write auth/aws/role/vault_server \
  inferred_aws_region=us-west-2 \
  inferred_entity_type=ec2_instance \
  ...

When running vault login -method=aws -token-only role=vault_server I would get:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region. </Message>
  </Error>
  <RequestId>0cff68f8-9d08-4492-8cba-8528e110a02e</RequestId>
</ErrorResponse>

I was able to resolve the issue by adding "region=us-west-2" to my vault login command. Notice that it doesn't have a dash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/aws ecosystem/plugin ecosystem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@sriedel @vishalnayak @mujina @rcousens @HridoyRoy @prassawant @oberones @cha7ri @heatherezell