Does Vault KMS Seal support IAM role based credentials?

laukaichung · April 17, 2021, 1:03pm

Does Vault KMS Seal support AWS_CONFIG_FILE and AWS_PROFILE env without providing AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID? I hope the AWS Client would assume the IAM role for me before fetching KMS key info.

I already set the AWS_CONFIG_FILE and AWS_PROFILE thinking that Vault would use the config file for the KMS credentials, but it still requires me to provide AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID in the environment.

Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.

I’ve tried this with vault dev server as well as the production server.
./aws/config

[default]
aws_access_key_id = xxxx
aws_secret_access_key = xxxx
region = us-east-1

[profile vault-admin]
role_arn = xxxx
source_profile = default

DevOpsRob · April 20, 2021, 3:20pm

Hi,

Thanks for reaching out. Currently Vault does not support the reading of the AWS_CONFIG_FILE and AWS_PROFILE. Vault does use some AWS SDKs under the hood that do recognise these variables so its possible in theory.

If this is something that you are interested in seeing a future release, please do open a feature request here.

Thanks again for your post.

Topic		Replies	Views
Auto Unseal with AWS KMS - access_key and secret_key Vault	4	607	August 16, 2023
AWS KMS Autounseal without IAM user Vault	5	467	May 13, 2020
Seeking Guidance on Vault Configuration with AWS KMS Vault	0	150	September 22, 2023
AWS Auth Backend Client on Kubernetes Vault	2	250	January 15, 2021
Error parsing Seal configuration: error fetching AWS KMS wrapping key information: InvalidSignatureException: Vault	0	1952	February 1, 2021

Does Vault KMS Seal support IAM role based credentials?

Related topics