Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Lease length doesn't seem to work #387

Closed
bkrodgers opened this issue Jul 2, 2015 · 19 comments
Closed

AWS Lease length doesn't seem to work #387

bkrodgers opened this issue Jul 2, 2015 · 19 comments

Comments

@bkrodgers
Copy link
Contributor

Unless I'm misunderstanding something, I was expecting that I can increase the default lease time given to a set of IAM credentials generated with the AWS secret backend. I was expecting I could do vault write aws-itsa/config/lease lease=24h lease_max=24h, and when I do that, I get Success! Data written to: aws-itsa/config/lease.

However, when I do vault read aws-itsa/creds/admin, I get a lease of 3600.

If relevant, yes, I have mounted the AWS back end at a non-default path, as we have multiple AWS accounts and will eventually want to set them all up.

@armon armon added the bug label Jul 22, 2015
@armon
Copy link
Member

armon commented Jul 22, 2015

@bkrodgers Marked as a bug, sorry about that! We are probably not parsing it correctly or returning the wrong lease duration internally.

@denissb
Copy link

denissb commented Aug 13, 2015

@ctennis
Copy link
Contributor

ctennis commented Aug 13, 2015

This should be fixed in #534

@frodopwns
Copy link

Are we still unable to change lease duration of aws creds?

Using 0.4.0

/ # vault write aws/config/lease lease=2h lease_max=2h
Success! Data written to: aws/config/lease
/ # vault read aws/creds/s3deploy
Key             Value
lease_id        aws/creds/s3deploy/stuff-asfsadf-6d0a-4ade-asdfsdfdsfd
lease_duration  3600
lease_renewable true
access_key      SOMEIDASDFASFASF
secret_key      SOMEKEYASDFASGASDFASDFSADFSD
/ # vault read aws/config/lease
Key         Value
lease       2h0m0s
lease_max   2h0m0s

Am I doing something wrong?

@jefferai
Copy link
Member

@frodopwns This has not been fixed yet, sorry!

@frodopwns
Copy link

OK, thanks for the response!

@emk
Copy link
Contributor

emk commented Feb 29, 2016

This is blocking our migration to the S3 backend. We'd be happy to work on a patch. Would it be possible to sketch out the rough shape of a fix to help us get started? Thank you!

@jefferai
Copy link
Member

@emk This was fixed in 0.5!

@emk
Copy link
Contributor

emk commented Mar 5, 2016

Great! Thank you.

@horalstvo
Copy link

horalstvo commented Apr 18, 2018

I still see the issue:

$ vault write aws/config/lease lease=720h lease_max=7200h
Success! Data written to: aws/config/lease

$ vault read aws/sts/myrole                                     
 Key                Value
---                -----
lease_id           aws/sts/myrole/id
lease_duration     59m59s

@joelthompson
Copy link
Contributor

AWS limits the duration of STS credentials, and so if you request a duration greater than is supported by AWS, the lease will be truncated to the maximum value allowed by AWS. See the AWS documentation for the DurationSeconds parameter in AssumeRole or GetFederationToken depending on whether you're fetching assumed-role credentials or federation token credentials, for more information about the limits AWS places on the credential length duration. The default cap for assume-role credentials is 1 hour (AWS recently allowed you to up that to 12 hours), so it looks like that's what you're running in to.

@horalstvo
Copy link

Thank you. That was one lightning fast reply :)

@Xopherus
Copy link

Xopherus commented Jul 18, 2018

@joelthompson I think I'm seeing the same issue though I've configured lease and lease_max to be below the 36h threshold for GetFederationToken. It seems as though sts always defaults to 1h even if you change the mount's lease to be something else.

Here's the configuration steps I took against Vault 0.10.2:

$ vault mount aws

# I would expect the sts lease to be valid for 6h
$ vault write aws/config/lease lease=6h lease_max=36h
$ vault write aws/sts/custom-role

# add key, secret from IAM user with "sts:GetFederationToken" permissions
$ vault write aws/config/root access_key=${ACCESS_KEY} secret_key=${SECRET_KEY} region=us-west-2

# get sts credentials
$ vault write aws/sts/custom-role
Key                Value
---                -----
lease_id                aws/sts/custom-role/92a17e4a-ed5f-eccd-439f-073782ed8c76
lease_duration     59m59s
lease_renewable  false
access_key          blahblah
secret_key           blahblah
security_token     blahblah

# but the lease is only valid for 1h
$ vault write sys/leases/lookup lease_id=aws/sts/custom-role/92a17e4a-ed5f-eccd-439f-073782ed8c76
Key             Value
---             -----
expire_time    2018-07-18T14:06:05.000034662-04:00
id                     aws/sts/custom-role/92a17e4a-ed5f-eccd-439f-073782ed8c76
issue_time      2018-07-18T13:06:05.338942744-04:00
last_renewal    <nil>
renewable       false
ttl                     3117

Have I configured things correctly? If you have time to reproduce that would be greatly appreciated!

@jefferai
Copy link
Member

You specify it at fetch time: https://www.vaultproject.io/api/secret/aws/index.html#ttl

@Xopherus
Copy link

@jefferai yes I was able to confirm that strategy worked. For some context I've got 100+ nomad jobs requesting aws credentials so it would be ideal to set a default on the secret engine as to not have to explicitly add ttl to each nomad job template. I'd be happy to open another issue to explain further if that would help.

@Xopherus
Copy link

@jefferai I think this might be where the default TTL for STS federation tokens is set. Can you confirm?

It would be great if we could tune this default on the mount. I'm not sure if it the current lease and lease_max parameters should apply both for IAM and STS though, given that IAM has much longer TTLs allowed by Amazon. What do you think?

@jefferai
Copy link
Member

I think I'd like to wait for #4360 to land before discussing further changes :-)

@Xopherus
Copy link

Sounds good! I'll keep an eye on it

@joelthompson
Copy link
Contributor

Hey @Xopherus -- I put a WIP PR at #5138, would love your feedback on the approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants