Cross account AWS EC2 Authentication

Vault
1

Hi,

I’m attempting authenticate to Vault from an ec2 instance that is owned by a different account to the one that host Vault. Authentication is failing with the following error:

{"errors":["failed to verify instance ID: static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)"]}

Vault is configured with an STS role for the account hosting the ec2 instance. The role, owned by the ec2 account, trusts the instance profile role that is assigned to Vault instance. The role has a policy attached permitting:

{
    "Statement": [
        {
            "Action": [
                "iam:GetUser",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": "*",
        }
    ],
    "Version": "2012-10-17"
}

The instance profile role has a policy attached allowing the assumption of the STS role.

Does the ec2 auth type use the credentials belonging to the instance profile role to assume the STS role? Or does it require the use IAM user credential, even though Vault is hosted on an ec2 instance?

The aws authentication engine role specifies a constraint for bound_ami_id.

Are there any other possible causes for the error?

2

I can authenticate successfully after adding an access_key and secret_key to the aws authentication engine configuration. This suggests Vault is does not use the credentials in instance profile. Is this correct?

I’m using Vault 1.15.1.

3

Did you ever solve this? I’m encountering the same issue; it’s not clear to me why I need to configure static IAM user credentials if the goal is to use roles and not user authentication.