Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam auth backend: Renew-self fails when bound_iam_principal_arn is a role with a path #3368

Closed
flosell opened this issue Sep 22, 2017 · 4 comments
Closed

aws-iam auth backend: Renew-self fails when bound_iam_principal_arn is a role with a path #3368

flosell opened this issue Sep 22, 2017 · 4 comments

Comments

@flosell
Copy link

flosell commented Sep 22, 2017

tl;dr:
When validating renew-self requests for a token from the aws-iam auth backend, vault seems to compare the canonicalArn (which is stripped of the path) against whatever was configured as bound_iam_principal_arn (which might contain the path). This seems to be at least unintuitive.

Expected Behavior:
renew-self works when a complete ARN with a path (e.g. arn:aws:iam::account-id:role/something/some-role) was configured as bound_iam_principal_arn

Actual Behavior:

URL: PUT https://vaulthost:8200/v1/auth/token/renew-self
Code: 500. Errors:

* 1 error occurred:
* failed to renew entry: role no longer bound to arn "arn:aws:iam::account-id:role/some-role"

Steps to Reproduce:

  • enable the AWS IAM Auth Backend
  • create an AWS IAM Role that contains a path (e.g. something/some-role)
  • configure a mapping from this role to a policy in vault, use the ARN including the path (arn:aws:iam::account-id:role/something/some-role), e.g.
{
   "auth_type":"iam",
   "resolve_aws_unique_ids":true,
   "bound_iam_principal_arn": "arn:aws:iam::account-id:role/something/some-role",
   "policies": "some-policy",
   "max_ttl": "5m"
}
  • authenticate with vault using the role mentioned above
  • call renew-self
  • observe the error described above
  • change mapping by removing the path from the arn: "bound_iam_principal_arn": "arn:aws:iam::account-id:role/some-role",
  • authenticate and renew-self again, observe that all works fine.

Vault Version
Vault 0.7.3 in official Docker container

References

Workaround
Remove the path from the bound_iam_principal_arn.
@jefferai
Copy link
Member

I believe this was fixed somewhere in the 0.8.x series, can you try 0.8.3?

@flosell
Copy link
Author

flosell commented Sep 22, 2017

The only issue that looked related to me was #2781 that I felt dealt with a slightly different problem.

I'll see if I can find a way to reproduce the issue on 0.8.3

@flosell
Copy link
Author

flosell commented Sep 24, 2017

Looks like this was indeed fixed in 0.8.0, sorry for the noise!

Just out of curiosity, is #3012 the fix we are talking about?

In case anyone's interested, here is the a script to reproduce the bug and the fix: https://gist.github.com/flosell/f744110ab30bd16f679f8c7254c22d11

@flosell flosell closed this as completed Sep 24, 2017
@joelthompson
Copy link
Contributor

Yes, I believe that's the fix for your issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jefferai @flosell @joelthompson