Does Vault KMS Seal support IAM role based credentials?

laukaichung · April 17, 2021, 1:03pm

Does Vault KMS Seal support AWS_CONFIG_FILE and AWS_PROFILE env without providing AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID? I hope the AWS Client would assume the IAM role for me before fetching KMS key info.

I already set the AWS_CONFIG_FILE and AWS_PROFILE thinking that Vault would use the config file for the KMS credentials, but it still requires me to provide AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID in the environment.

Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.

I’ve tried this with vault dev server as well as the production server.
./aws/config

[default]
aws_access_key_id = xxxx
aws_secret_access_key = xxxx
region = us-east-1

[profile vault-admin]
role_arn = xxxx
source_profile = default

DevOpsRob · April 20, 2021, 3:20pm

Hi,

Thanks for reaching out. Currently Vault does not support the reading of the AWS_CONFIG_FILE and AWS_PROFILE. Vault does use some AWS SDKs under the hood that do recognise these variables so its possible in theory.

If this is something that you are interested in seeing a future release, please do open a feature request here.

Thanks again for your post.

Topic		Replies	Views
AWS auth method - How to use the vault CLI with IAM role? Vault	1	4167	April 3, 2020
AWS KMS Autounseal without IAM user Vault	5	557	May 13, 2020
Using AWS instance profiles or IAM policies for awskms unseal and s3 storage Vault	2	522	February 11, 2022
Can not unseal Vault using Service Account IAM Roles in AWS Vault	3	2079	September 10, 2020
How to configure Vault to issue AWS secret keys for authentication to Vault (Terraform) Vault	3	2235	May 16, 2021

Does Vault KMS Seal support IAM role based credentials?

Related topics