-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS Lease length doesn't seem to work #387
Comments
@bkrodgers Marked as a bug, sorry about that! We are probably not parsing it correctly or returning the wrong lease duration internally. |
It seems you are not passing it in https://github.com/hashicorp/vault/blob/master/builtin/logical/aws/secret_access_keys.go |
This should be fixed in #534 |
Are we still unable to change lease duration of aws creds? Using 0.4.0
Am I doing something wrong? |
@frodopwns This has not been fixed yet, sorry! |
OK, thanks for the response! |
This is blocking our migration to the S3 backend. We'd be happy to work on a patch. Would it be possible to sketch out the rough shape of a fix to help us get started? Thank you! |
@emk This was fixed in 0.5! |
Great! Thank you. |
I still see the issue:
|
AWS limits the duration of STS credentials, and so if you request a duration greater than is supported by AWS, the lease will be truncated to the maximum value allowed by AWS. See the AWS documentation for the |
Thank you. That was one lightning fast reply :) |
@joelthompson I think I'm seeing the same issue though I've configured Here's the configuration steps I took against Vault 0.10.2: $ vault mount aws
# I would expect the sts lease to be valid for 6h
$ vault write aws/config/lease lease=6h lease_max=36h
$ vault write aws/sts/custom-role
# add key, secret from IAM user with "sts:GetFederationToken" permissions
$ vault write aws/config/root access_key=${ACCESS_KEY} secret_key=${SECRET_KEY} region=us-west-2
# get sts credentials
$ vault write aws/sts/custom-role
Key Value
--- -----
lease_id aws/sts/custom-role/92a17e4a-ed5f-eccd-439f-073782ed8c76
lease_duration 59m59s
lease_renewable false
access_key blahblah
secret_key blahblah
security_token blahblah
# but the lease is only valid for 1h
$ vault write sys/leases/lookup lease_id=aws/sts/custom-role/92a17e4a-ed5f-eccd-439f-073782ed8c76
Key Value
--- -----
expire_time 2018-07-18T14:06:05.000034662-04:00
id aws/sts/custom-role/92a17e4a-ed5f-eccd-439f-073782ed8c76
issue_time 2018-07-18T13:06:05.338942744-04:00
last_renewal <nil>
renewable false
ttl 3117 Have I configured things correctly? If you have time to reproduce that would be greatly appreciated! |
You specify it at fetch time: https://www.vaultproject.io/api/secret/aws/index.html#ttl |
@jefferai yes I was able to confirm that strategy worked. For some context I've got 100+ nomad jobs requesting aws credentials so it would be ideal to set a default on the secret engine as to not have to explicitly add ttl to each nomad job template. I'd be happy to open another issue to explain further if that would help. |
@jefferai I think this might be where the default TTL for STS federation tokens is set. Can you confirm? It would be great if we could tune this default on the mount. I'm not sure if it the current |
I think I'd like to wait for #4360 to land before discussing further changes :-) |
Sounds good! I'll keep an eye on it |
Unless I'm misunderstanding something, I was expecting that I can increase the default lease time given to a set of IAM credentials generated with the AWS secret backend. I was expecting I could do
vault write aws-itsa/config/lease lease=24h lease_max=24h
, and when I do that, I getSuccess! Data written to: aws-itsa/config/lease
.However, when I do
vault read aws-itsa/creds/admin
, I get a lease of 3600.If relevant, yes, I have mounted the AWS back end at a non-default path, as we have multiple AWS accounts and will eventually want to set them all up.
The text was updated successfully, but these errors were encountered: