-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
awskms unseal: UnrecognizedClientException: The security token included in the request is invalid. #5965
Comments
We actually use AWS SDK's credential chain with the default credential chain, in this order: Static creds This matches the order via the official SDK's default chain, with the exception of static creds being on top. My guess is that by configuring static creds, you are causing the credential chain to bail after it finds those as being valid, so it never actually looks at the env vars. |
vault/vault/seal/awskms/awskms.go Line 103 in e883087
Similarly, vault/vault/seal/awskms/awskms.go Line 279 in e883087
vault/physical/dynamodb/dynamodb.go Line 166 in f85efad
|
It'd be useful if you can test if it works if you remove those lines reading the env from awskms.go. That way we can know whether we need to add checking AWS_SESSION_TOKEN, like the dynamodb code does, or whether we should actually be stripping all of them out entirely in favor of only using what the SDK provides. |
It looks like stripping the custom aws auth logic is the right answer. Commenting out the following two lines worked: vault/vault/seal/awskms/awskms.go Lines 282 to 283 in e883087
I then unset my AWS_SESSION_TOKEN env variable and tried again, and received the expected UnrecognizedClientException error. (I tested this off of master) |
Let AWS SDK env cred chain provider do it for us Fixes #5965
Any chance I can have you test out #5974? |
@jefferai It failed to build until I commented out vault/vault/seal/awskms/awskms.go Lines 103 to 112 in 22558c3
After that modification it successfully unsealed w/the 3 ENV variables.
|
You don't need to comment on two issues :-) It's already fixed via the other one. |
Let AWS SDK env cred chain provider do it for us Fixes #5965
* Don't read AWS env vars Let AWS SDK env cred chain provider do it for us Fixes #5965
Describe the bug
Vault does not consume the AWS_SESSION_TOKEN environmental variable used to pass credentials to the awskms autounseal logic.
When using temporary AWS credentials provided in the environment to perform awskms unsealing, Vault fails with:
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html describes the three variables that may need to be consumed:
vault/vault/seal/awskms/awskms.go
Line 103 in e883087
I'm able to utilize the awscli with the same set of variables so I am confident my credentials are correctly set.
Expected behavior
Temporary credentials may be passed in via the environment. This is useful when testing Vault on a desktop and using federated SAML-based logins to AWS.
Environment:
Vault v1.0.0 ('c19cef14891751a23eaa9b41fd456d1f99e7e856')
Darwin xxx 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64
Variables:
Vault server configuration file(s):
The text was updated successfully, but these errors were encountered: