-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS IAM auth token fails to renew #2781
Comments
@joelthompson Can you take a look? |
@jefferai -- ack, will take a look. |
@shayangz, thanks for the bug report! I believe I've tracked this down to a bug which is triggered when you are using the If this is critical for you, I believe you should be able to update your role to specify the bound_iam_principal_arn to match @jefferai -- I hope to have a public PR to fix this within the next day since it's a relatively simple fix. |
Previously, the renew method would ALWAYS check to ensure the authenticated IAM principal ARN matched the bound ARN. However, there is a valid use case in which no bound_iam_principal_arn is specified and all bindings are done through inferencing. When a role is configured like this, clients won't be able to renew their token because of the check. This now checks to ensure that the bound_iam_principal_arn is not empty before requriing that it match the originally authenticated client. Fixes hashicorp#2781
Thanks, @joelthompson. Your workout solves the issue for us now. Looking forward to the fix getting released. |
Previously, the renew method would ALWAYS check to ensure the authenticated IAM principal ARN matched the bound ARN. However, there is a valid use case in which no bound_iam_principal_arn is specified and all bindings are done through inferencing. When a role is configured like this, clients won't be able to renew their token because of the check. This now checks to ensure that the bound_iam_principal_arn is not empty before requriing that it match the originally authenticated client. Fixes #2781
For auth tokens generated using aws iam auth type that have a bound iam profile instance we are not able to renew the tokens.
This is on Vault v0.7.2.
Auth role is defined as
Successful auth happens
On inspecting the token, everything looks fine
but when we attempt to renew the token
Interestingly even though the role uses
bound_iam_instance_profile_arn
, both inmeta
of the token and in the error message, the inferred role are reference.The text was updated successfully, but these errors were encountered: