AWS IAM auth method and Elastic Beanstalk

I am in the process of standing up and configuring an HCP curated Vault that peers with an AWS VPC. This is working fine.

The end goal is to have Elastic Beanstalk environments be able to perform a vault token request that will complete via AWS auth, and then use that to load secrets into the app.

I’ve gotten as far as having setup the HCP Vault AWS IAM auth config and attempting to test using the vault CLI in an ec2 instance created by a test Elastic Beanstalk environment. When I attempt to perform a vault login like this:

vault login -method=aws role=vault-role-for-aws-ec2role

It errors out with:

* IAM Principal "arn:aws:sts::<accountid>:assumed-role/aws-elasticbeanstalk-ec2-role/<ec2 instance id>" does not belong to the role "vault-role-for-aws-ec2role"

Note that this is sts and that it’s an assumed-role that Elastic Beanstalk has taken on, as it is configured to do.

For the vault role vault-role-for-aws-ec2role, I have configured the following:

bound_iam_principal_arn           [arn:aws:sts::<accountid>:*]

Another variation ARN I have attempted:


And seeing the same error when attempting the vault login. I haven’t found any documentation on the hashicorp site that specifically discusses the spin that Elastic Beanstalk puts on this. Any pointers?

  • Colby