Hello everyone,
TL;DR
Vault aws auth login fails in GOV region with the following error:
Error authenticating: Error making API request.
URL: PUT https://vault.test.com:8200/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-east-1'. </Message>
</Error>
<RequestId>bce7b1ee-c30a-440a-8342-412221b5e9f4</RequestId>
</ErrorResponse>
I am trying to setup vault agent to cache secrets in the AWS Gov environment and I am doing it via Vault AWS Auth method, I have followed the steps mentioned here in this tutorial Vault agent caching tutorial and it works without any issues in the commercial environment.
Here is the auth/aws/config/client
config:
Key Value
--- -----
access_key n/a
endpoint n/a
iam_endpoint https://iam.us-gov.amazonaws.com
iam_server_id_header_value vault.test.com
max_retries -1
sts_endpoint https://sts.us-gov-west-1.amazonaws.com
sts_region us-gov-west-1
The role that I am using to connect:
Key Value
--- -----
allow_instance_migration false
auth_type iam
bound_account_id []
bound_ami_id []
bound_ec2_instance_id <nil>
bound_iam_instance_profile_arn []
bound_iam_principal_arn [arn:aws-us-gov:iam::12345678:role/test]
bound_iam_principal_id [redacted]
bound_iam_role_arn []
bound_region []
bound_subnet_id []
bound_vpc_id []
disallow_reauthentication false
inferred_aws_region us-gov-west-1
inferred_entity_type ec2_instance
max_ttl 800h
policies [vault-agent]
resolve_aws_unique_ids true
role_id redacted
role_tag n/a
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 800h
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [vault-agent]
token_ttl 0s
token_type default
When I run this command:
vault login -method=aws header_value=vault.test.com role=vault-agent-iam -region=us-gov-west-1
I get the following error:
Error authenticating: Error making API request.
URL: PUT https://vault.test.com:8200/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-east-1'. </Message>
</Error>
<RequestId>bce7b1ee-c30a-440a-8342-412221b5e9f4</RequestId>
</ErrorResponse>
I have verified everywhere possible and the region has been set to us-gov-west-1
, I even exported the region before running the command → export AWS_REGION=us-gov-west-1
but to no avail.
And I checked the vault version across all servers it’s the same:
Vault v1.3.4
Is there anything else that I am missing?
Thanks,
Anant