We have a root ca vault that we use to sign the csr of an aws acm pca. The server (iam arn: arn:aws:iam::<account#>:role/myserver) we use to run these commands have an iam role that is bound to a vault policy in root ca vault:
sh-4.2$ vault read auth/aws/role/myserver
Key Value
--- -----
allow_instance_migration false
auth_type iam
bound_account_id []
bound_ami_id []
bound_ec2_instance_id <nil>
bound_iam_instance_profile_arn []
bound_iam_principal_arn [arn:aws:iam::<account#>:role/myserver]
bound_iam_principal_id [AROAJH2DIPEXDIZSZOSDE]
bound_iam_role_arn []
bound_region []
bound_subnet_id []
bound_vpc_id []
disallow_reauthentication false
inferred_aws_region n/a
inferred_entity_type n/a
max_ttl 0s
period 12h
policies [my-pol]
resolve_aws_unique_ids true
role_tag n/a
ttl 0s
The vault policy for myserver iam role is:
sh-4.2$ vault policy read my-pol
path "pki/root/sign-intermediate" {
capabilities = ["create"]
}
When I hit the vault api to sign my csr, I get the following error:
$ vault write pki/root/sign-intermediate csr="${acm_pca_csr}" ttl=131400h format=pem_bundle
Error writing data to pki/root/sign-intermediate: Error making API request.
URL: PUT https://my-rootca.myorg.com/v1/pki/root/sign-intermediate
Code: 403. Errors:
* 1 error occurred:
* permission denied
I’m thinking maybe my vault policy is not configured correctly for this op. However, I’m not sure how I can fix this.