AWS secrets engine no longer returns lease_duration for STS credentials

[kberzinch]

Describe the bug

#15869 changed the aws secrets engine such that it no longer returns leases for STS credentials, which makes sense. However, it also no longer returns a lease_duration.

To Reproduce

$ vault server -dev

$ vault secrets enable aws

$ vault write aws/config/root access_key=<redacted> secret_key=<redacted> region=us-east-1

$ vault write aws/roles/my-role credential_type=assumed_role role_arns="<redacted>" max_sts_ttl=900

$ vault read aws/sts/my-role

Expected behavior
A lease_duration is returned with the STS credentials.

Environment:

• Vault Server Version (retrieve with vault status): Vault v1.13.0 (a4cf0dc4437de35fce4860857b64569d092a9b5a), built 2023-03-01T14:58:13Z
• Vault CLI Version (retrieve with vault version): Vault v1.13.0 (a4cf0dc4437de35fce4860857b64569d092a9b5a), built 2023-03-01T14:58:13Z
• Server Operating System/Architecture: Ubuntu 22.04.2 LTS on AMD64

Vault server configuration file(s):

N/A

Additional context

The KV v1 engine returns a lease_duration without a lease_id, so there is precedent for this.

[mancej]

This also prevents vault agent from refreshing AWS STS credentials. Since no lease duration is returned, vault agent will not refresh them. https://developer.hashicorp.com/vault/docs/agent/template#renewable-secrets

This makes Vault agent treat STS credentials as non-renewable.

[robmonte]

Hi @mancej I was wondering if you could provide more info regarding this issue and how it relates to Vault agent. Do you have setup where agent was able to renew STS secrets for you? Before the change, the secrets were marked non-renewable. The documentation you refer to explains different behavior for non-renewable leased secrets in the section below it.

[lindleywhite]

consul-template Is used to read secrets from Vault and populate them to files and then send signals to processes. This breaks the functionality of consul-template with regards to Vault secrets. If the secret is non-renewable the lease_duration instructs consul-template to wait that time before re-issuing a read to Vault. https://github.com/hashicorp/consul-template/blob/b26991a4e924c996996eaf9dc655046370dbb340/dependency/vault_read.go#L90-L94

https://github.com/hashicorp/consul-template/blob/b26991a4e924c996996eaf9dc655046370dbb340/dependency/vault_common.go#L113

If lease_duration is 0 consul-template will just continue to renew the secret.

[mancej]

Hi @mancej I was wondering if you could provide more info regarding this issue and how it relates to Vault agent. Do you >have setup where agent was able to renew STS secrets for you? Before the change, the secrets were marked non->renewable. The documentation you refer to >explains different behavior for non-renewable leased secrets in the section below it.

I may have been a bit off on the exact cause and terminology, as I had limited time to fully investigate, but what I can say with certainty is that the 1.13 upgrade caused our sidecar containers running vault agent and configured via consul-template to stop refreshing STS credentials.

It seems likely that what lindley referenced above is the root cause of what we experienced.