From my desktop, I am trying to validate that my AWS IAM role is configured correctly and can generate vault tokens.
$ vault write --address http://127.0.0.1:8200 auth/aws/role/aws-auth-role--iam-role auth_type=iam bound_iam_principal_arn=arn:aws:iam::123456789012:role/vault-iam-auth
Success! Data written to: auth/aws/role/aws-auth-role--iam-role
$ AWS_PROFILE=vault-iam-auth aws sts get-caller-identity
{
"UserId": "AROAXWVUO3XXXXXXXXXX:botocore-session-1585808549",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/vault-iam-auth/botocore-session-1585808549"
}
but to my surprise, this does NOT work
$ AWS_PROFILE=vault-iam-auth vault login --address http://127.0.0.1:8200 -method=aws role=aws-auth-role--iam-role
Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
How can I validate that my role can access vault?
I am trying to configure vault to be usable with my ECS tasks.
Note that the role attached to my ECS tasks will be trusting the ecs-tasks.amazon.com service (in the assume policy). For the role above, the assume policy is pointing to arn:…:123456789012:user/root (i.e. all users in my account))
Compared to users or role assumed by users, the credentials used by ECS task are ephemeral and not only use and AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY, but also a AWS_SESSION_TOKEN. Not sure the vault CLI is taking the AWS_SESSION_TOKEN into consideration above…