Does Vault KMS Seal support IAM role based credentials?

Does Vault KMS Seal support AWS_CONFIG_FILE and AWS_PROFILE env without providing AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID? I hope the AWS Client would assume the IAM role for me before fetching KMS key info.

I already set the AWS_CONFIG_FILE and AWS_PROFILE thinking that Vault would use the config file for the KMS credentials, but it still requires me to provide AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID in the environment.

Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.

I’ve tried this with vault dev server as well as the production server.

aws_access_key_id = xxxx
aws_secret_access_key = xxxx
region = us-east-1

[profile vault-admin]
role_arn = xxxx
source_profile = default


Thanks for reaching out. Currently Vault does not support the reading of the AWS_CONFIG_FILE and AWS_PROFILE. Vault does use some AWS SDKs under the hood that do recognise these variables so its possible in theory.

If this is something that you are interested in seeing a future release, please do open a feature request here.

Thanks again for your post.

1 Like