Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awskms unseal: Region cannot be detected from instance profile as docs describe #6016

Closed
JayH5 opened this issue Jan 9, 2019 · 1 comment
Closed

awskms unseal: Region cannot be detected from instance profile as docs describe #6016

JayH5 opened this issue Jan 9, 2019 · 1 comment
Milestone
1.0.3

Comments

@JayH5
Copy link

JayH5 commented Jan 9, 2019
edited
Loading

Describe the bug
The region parameter for the awskms seal type is documented as follow:

The AWS region where the encryption key lives. May also be specified by the AWS_REGION or AWS_DEFAULT_REGION environment variable or as part of the AWS profile from the AWS CLI or instance profile.

https://www.vaultproject.io/docs/configuration/seal/awskms.html

This suggests that not configuring the AWS region is possible and Vault should detect the region from the instance profile, like it is able to do with the secret/access key. In reality, Vault (v1.0.1) does not do this and must be configured using the config parameter or an environment variable. (When I did specify the region parameter things worked).

I think Vault should be updated to use the region from the instance profile/metadata or the documentation should be changed. This seems to be the relevant code:

vault/vault/seal/awskms/awskms.go

Lines 90 to 101 in 9af595e

// Check and set region
region, regionOk := config["region"]
switch {
case os.Getenv("AWS_REGION") != "":
k.region = os.Getenv("AWS_REGION")
case os.Getenv("AWS_DEFAULT_REGION") != "":
k.region = os.Getenv("AWS_DEFAULT_REGION")
case regionOk && region != "":
k.region = region
default:
k.region = "us-east-1"
}

To Reproduce
Steps to reproduce the behavior:

  1. Set up an instance profile for an EC2 instance with an instance profile and associated role that allows access to the KMS key that will be used for auto unseal. Do this in a region that is not the default (not us-east-1).
  2. Configure the Vault server on the instance with the awskms seal type. Don't specify the region.
  3. Start Vault and observe that Vault fails to start because it uses the default region us-east-1 instead of reading the region from the instance profile.

Expected behavior
The correct AWS region should be detected from the EC2 instance profile.

Environment:

  • Vault Server Version (retrieve with vault status): 1.0.1
  • Vault CLI Version (retrieve with vault version): 1.0.1
  • Server Operating System/Architecture: Debian Linux

Vault server configuration file(s):
Relevant config JSON:

{
  "seal": {
    "awskms": {
      "kms_key_id": "<key-id>"
    }
}

Additional context
Recent PR that seems somewhat related: #5974
@briankassouf briankassouf added this to the 1.0.3 milestone Jan 9, 2019
@tyrannosaurus-becks
Copy link
Contributor

@JayH5 thanks for opening this issue! #5974 is close to being related to this one, but isn't, because none of the AWS credentials providers pull information regarding the region. I thought this too, but then I looked to see if the ec2 role credentials provider pulls the region, and it doesn't.

I think we're going to need to add some code parsing it from here.

@tyrannosaurus-becks tyrannosaurus-becks mentioned this issue Jan 10, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.3
Development

No branches or pull requests
3 participants
@tyrannosaurus-becks @JayH5 @briankassouf