Cannot get aws dynamic secret due to permission error (IAM user creation)

Hi there, I am trying to set up aws dynamic secrets with vault, but ran into the following error when getting the secret:

* Error creating IAM user: AccessDenied: User: arn:aws:iam::XXX:user/XXX is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::XXX:user/vault-root-my-role-***

It looks like vault is trying to create an IAM user, but our AWS environment doesn’t allow me doing that.

Any workaround?

Some additional information may be needed to assist. Things that will help:

  1. Commands used to create the role in Vault
  2. The IAM User/Role permissions for the Vault root account
  3. The Trust Policy settings on the target user/role
  4. What are you trying to accomplish? (i.e. do you want Vault to create a user? or do you want to have it create an STS token or something else?)

Sure, basically we are trying to generate an aws secrete based on the pre-configured role.

This is the command I used to generate the role:

vault write aws/roles/my-role \
    credential_type=iam_user \
    policy_document=-<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
EOF

which ran successfully.

And this is how I retrieved the secret and ran into errors as I mentioned above:

vault read aws/creds/my-role

The “credential_type=iam_user” in your role is telling Vault that you want to create an IAM user, which is why it is calling the CreateUser API. Vault actually supports three mechanisms for roles: AWS - Secrets Engines | Vault by HashiCorp

So you have two choices; either adjust the permissions of your root user to allow CreateUser or switch to using assumed_role or federation_token: AWS - Secrets Engines | Vault by HashiCorp

1 Like