We have a Vault cluster running in an EKS cluster with self-managed ec2 nodes that have an instance-profile attached.
I am looking to establish aws iam authentication for a set of applications that run in ECS FARGATE.
I am logging in to Vault with a token that has full rights over auth/
I successfully created vault auth enable aws and created relevant policy ecs-task-policy.
I went to create the ECS Task Role:
auth_type=iam \
policies=ecs-task-policy \
max_ttl=12h
bound_iam_principal_name_arn=arn:aws:iam::1234567890:/role/ecs-task-role
where the iam principal arn is the AWS task role of the ECS task that will interact with Vault.
I am getting the following error trying to create the role:
Error writing data to auth/aws/role/vault-role-rwn-ecs-task-role: Error making API request.
URL: PUT http://vault.app.internal:8200/v1/auth/aws/role/ecs-task-role
Code: 400. Errors:
* unable to resolve ARN "arn:aws:iam::1234567890:role/ecs-task-role" to internal ID: AccessDenied: User: arn:aws:sts::1234567890:assumed-role/eks-node-group-role/i-11223344556677 is not authorized to perform: iam:GetRole on resource: role ecs-task-role because no identity-based policy allows the iam:GetRole action
status code: 403, request id: 123456-123456-123456-abcdef
It appears that the assumed role of the EKS node instance profile is getting in the way, but why is that the case? All I want is the ECS task to to be able to authenticate to Vault using the role of the task? Again, ECS is fargate so I am not sure where the EKS node plays in.