Cannot get aws dynamic secret due to permission error (IAM user creation)

Hi there, I am trying to set up aws dynamic secrets with vault, but ran into the following error when getting the secret:

* Error creating IAM user: AccessDenied: User: arn:aws:iam::XXX:user/XXX is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::XXX:user/vault-root-my-role-***

It looks like vault is trying to create an IAM user, but our AWS environment doesn’t allow me doing that.

Any workaround?

Some additional information may be needed to assist. Things that will help:

  1. Commands used to create the role in Vault
  2. The IAM User/Role permissions for the Vault root account
  3. The Trust Policy settings on the target user/role
  4. What are you trying to accomplish? (i.e. do you want Vault to create a user? or do you want to have it create an STS token or something else?)

Sure, basically we are trying to generate an aws secrete based on the pre-configured role.

This is the command I used to generate the role:

vault write aws/roles/my-role \
    credential_type=iam_user \
    policy_document=-<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
EOF

which ran successfully.

And this is how I retrieved the secret and ran into errors as I mentioned above:

vault read aws/creds/my-role

The “credential_type=iam_user” in your role is telling Vault that you want to create an IAM user, which is why it is calling the CreateUser API. Vault actually supports three mechanisms for roles: AWS - Secrets Engines | Vault by HashiCorp

So you have two choices; either adjust the permissions of your root user to allow CreateUser or switch to using assumed_role or federation_token: AWS - Secrets Engines | Vault by HashiCorp

1 Like

Hello @stuart-c ,

I have created an aws/config/root credential by following this doc:

I used the Permissions Boundary example as mentioned in the above doc to give permissions to vault user. Then I ran the following command:

$ vault write aws/roles/my-role
policy_arns=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
credential_type=iam_user

Now I am trying to run the following command to generate an IAM user, but getting an error:

$ vault read aws/creds/my-role
Error reading aws/creds/my-role: Error making API request.
URL: GET http://127.0.0.1:8200/v1/aws/creds/my-role
Code: 400. Errors:
Error creating IAM user: AccessDenied: User: arn:aws:sts::xxxx:assumed-role/xxxx is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::xxxx:user/vault-root-my-role-1663860014-xxxx because no identity-based policy allows the iam:CreateUser action
status code: 403

One point to add, if I remove the condition from the IAM policy (mentioned in above doc), then it works perfectly.

  "Condition": {
    "StringEquals": {
      "iam:PermissionsBoundary": [
        "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/PolicyName"
      ]
    }
  }

What do you suppose could be the issue with permissions boundary?