Cannot get aws dynamic secret due to permission error (IAM user creation)

hailiangzhang · February 7, 2022, 7:43pm

Hi there, I am trying to set up aws dynamic secrets with vault, but ran into the following error when getting the secret:

* Error creating IAM user: AccessDenied: User: arn:aws:iam::XXX:user/XXX is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::XXX:user/vault-root-my-role-***

It looks like vault is trying to create an IAM user, but our AWS environment doesn’t allow me doing that.

Any workaround?

jeffsanicola · February 7, 2022, 9:26pm

Some additional information may be needed to assist. Things that will help:

Commands used to create the role in Vault
The IAM User/Role permissions for the Vault root account
The Trust Policy settings on the target user/role
What are you trying to accomplish? (i.e. do you want Vault to create a user? or do you want to have it create an STS token or something else?)

hailiangzhang · February 7, 2022, 9:52pm

Sure, basically we are trying to generate an aws secrete based on the pre-configured role.

This is the command I used to generate the role:

vault write aws/roles/my-role \
    credential_type=iam_user \
    policy_document=-<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
EOF

which ran successfully.

And this is how I retrieved the secret and ran into errors as I mentioned above:

vault read aws/creds/my-role

stuart-c · February 7, 2022, 11:15pm

The “credential_type=iam_user” in your role is telling Vault that you want to create an IAM user, which is why it is calling the CreateUser API. Vault actually supports three mechanisms for roles: AWS - Secrets Engines | Vault by HashiCorp

So you have two choices; either adjust the permissions of your root user to allow CreateUser or switch to using assumed_role or federation_token: AWS - Secrets Engines | Vault by HashiCorp

qmixqssbokmirbnbpw · September 22, 2022, 3:37pm

Hello @stuart-c ,

I have created an aws/config/root credential by following this doc:

I used the Permissions Boundary example as mentioned in the above doc to give permissions to vault user. Then I ran the following command:

$ vault write aws/roles/my-role
policy_arns=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
credential_type=iam_user

Now I am trying to run the following command to generate an IAM user, but getting an error:

$ vault read aws/creds/my-role
Error reading aws/creds/my-role: Error making API request.
URL: GET http://127.0.0.1:8200/v1/aws/creds/my-role
Code: 400. Errors:
Error creating IAM user: AccessDenied: User: arn:aws:sts::xxxx:assumed-role/xxxx is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::xxxx:user/vault-root-my-role-1663860014-xxxx because no identity-based policy allows the iam:CreateUser action
status code: 403

One point to add, if I remove the condition from the IAM policy (mentioned in above doc), then it works perfectly.

  "Condition": {

    "StringEquals": {
      "iam:PermissionsBoundary": [
        "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/PolicyName"
      ]
    }
  }

What do you suppose could be the issue with permissions boundary?

qmixqssbokmirbnbpw · September 30, 2022, 6:50am

@jeffsanicola Could you please help here?

jeffsanicola · September 30, 2022, 12:12pm

I’ve not used Permission Boundaries yet so I’m not too familiar with the intended purposes or use cases.

This doc might help: Permissions boundaries for IAM entities - AWS Identity and Access Management