Greetings,
We are invoking vault login ... -method aws role=platform-infrastructure-deployer within our build pipeline. Below is that Vault role:
$ vault read auth/aws/role/platform-infrastructure-deployer
Key Value
--- -----
allow_instance_migration false
auth_type iam
bound_account_id []
bound_ami_id []
bound_ec2_instance_id <nil>
bound_iam_instance_profile_arn []
bound_iam_principal_arn [arn:aws:sts::<REDACTED>:assumed-role/platform-infrastructure-deploy/buildkite-job-*]
bound_iam_principal_id []
bound_iam_role_arn []
bound_region []
bound_subnet_id []
bound_vpc_id []
disallow_reauthentication false
inferred_aws_region n/a
inferred_entity_type n/a
resolve_aws_unique_ids true
role_id <REDACTED>
role_tag n/a
token_bound_cidrs []
token_explicit_max_ttl 1h
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [allow-buildkite-read-platform-infrastructure-deployment-secrets-development]
token_ttl 0s
token_type default
At that point the build pipeline has this AWS STS indentity:
{ "Account": "<REDACTED>", "UserId": "<REDACTED>:buildkite-job-<REDACTED>", "Arn": "arn:aws:sts::<REDACTED>:assumed-role/platform-infrastructure-deploy/buildkite-job-<REDACTED>" }
However it gets the below error from Vault during login:
Code: 400. Errors:
* IAM Principal "arn:aws:sts::<REDACTED>:assumed-role/platform-infrastructure-deploy/buildkite-job-<REDACTED>" does not belong to the role "platform-infrastructure-deployer"
Maybe this would work using the request-signer script but I don’t want to resort to that if possible and keep using vault-cli for generating the signed request.
Is there a way to make assumed STS role principals work in AWS auth using the vault-cli?