Cannot login vault with aws IAM auth method

I followed the docs
I keep getting

Error authenticating: Error making API request.

Code: 400. Errors:

* error parsing arn "arn:aws:iam::xxxxxxxxxxxx:root": unrecognized arn: "root" contains fewer than 2 slash-separated parts

Prob a config issue. Can you share all your vault write commands used to configure someone might spot the issue.
And also the vault login command you’re using to test this out.

Is there a reason you’re using vs That might be confusing the listener if you’re local with multiple interfaces, but it seems to be connecting fine so not the issue… just curious.

This might be because you are using the accessKeyId and accessKey of a root user instead of IAM user. I run into the same issue, after I change to use accessKeyId and accessKey of a new create IAM user (Creating an IAM user in your AWS account - AWS Identity and Access Management), it works fine.

I tried that but it did not work for me.
Even created a brand new user with both console and programmatic access and attached the policy as specified in the documentation.

Please, share the details about this IAM user you created when it worked - what policies did you assign to that user?
I tried with an existing one - that did not work - and then created a brand new one and assigned that user the AWS policy that I attached to the AWS role. That role is mapped to the role in Vault.

Here are the commands I am executing in sequence. Just fill in the place holders for the creds and for the AWS account number.

Enable KV secrets engine

vault secrets enable kv

Write some test data

vault kv put secret/awsauthdemo/config ttl=10m username=devuser password=b3st4secret

Upload a simple policy to read and list the secrets under the path above

vault policy write awsauth awsauth.hcl

Enable AWS authentication method

vault auth enable aws

Configure the AWS credentials

vault write auth/aws/config/client secret_key=<secret_key> access_key=<access_key>

Create a Vault role and associate it with an AWS role that has the custom policy we create previously

vault write auth/aws/role/awsauth-role-iam
policies=awsauth ttl=48h

Configure X-Vault-AWS-IAM-Server-ID Header - recommended

vault write auth/aws/config/client

Log in - IAM auth method

vault login -method=aws role=awsauth-role-iam

Thanks in advance for your help :grinning:

OK, I managed to get past that after realizing that configuring the access and secret keys into the auth/aws/config/client does NOT work - it write the keys but they are not used during the login call - the root AWS account keys are used because they are configured in the default location ~/.aws/credentials. Instead I passed the IAM user keys when I executed the login command:
vault login -method=aws role=awsauth-role-iam aws_access_key_id=<IAM_user_access_key> aws_secret_access_key=<IAM_user_secret_key>

But, I have another error. Any suggestions would be welcome.

Error authenticating: Error making API request.

Code: 400. Errors:

IAM Principal “arn:aws:iam::<aws_account_number>:user/vaultiam” does not belong to the role "awsauth-role-iam"

And here is my command for creating the role in Vault:

vault write auth/aws/role/awsauth-role-iam \
    auth_type=iam \
    bound_iam_principal_arn="arn:aws:iam::<aws_accoount_number>:role/vault-aws-auth-role" resolve_aws_unique_ids=true \
    policies=awsauth ttl=24h


OK guys, for everyone who is still experiencing this problem, if you have the root keys configured under ~/.aws/credentials, then even though you’ve configured the Vault AWS auth client with the keys of an IAM user, Vault will still try to use the root keys, if available. The way around that is to pass the IAM user’s access and secret keys in the login call:
vault login -method=aws role=awsauth-role-iam aws_access_key_id=<IAM_user_access_key> aws_secret_access_key=<IAM_user_secret_key>.

That solves the problem. Alternatively, you can run aws configure, and create a new profile with that user’s keys but then you need to figure out how to tell Vault to use that AWS profile and not the default one containing the root keys.