Issue with vault aws iam authentification

Hello,

I have an issue when i want to authenticate using aws iam authentification of vault.
What I want to do is to be able to connect from another aws account to the vault, I want that any roles can request the vault since I don’t want to add them myself everytime the owner of the other account create a new role for his ec2 or lambda.

I saw in the documentation that it is possible to put a wildcard in “bound_iam_principal_arn”.
Here is my configuration for my role in vault :

{
  "request_id": "478a791d-67c4-b7a3-8832-d8a831811eca",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "allow_instance_migration": false,
    "auth_type": "iam",
    "bound_account_id": [],
    "bound_ami_id": [],
    "bound_ec2_instance_id": null,
    "bound_iam_instance_profile_arn": [],
    "bound_iam_principal_arn": [
      "arn:aws:iam::123456789012:role/*"
    ],
    "bound_iam_principal_id": [],
    "bound_iam_role_arn": [],
    "bound_region": [],
    "bound_subnet_id": [],
    "bound_vpc_id": [],
    "disallow_reauthentication": false,
    "inferred_aws_region": "",
    "inferred_entity_type": "",
    "policies": [
      "aws_dev"
    ],
    "resolve_aws_unique_ids": true,
    "role_id": "10b537cb-86c6-7154-4cd1-9ad294c525dc",
    "role_tag": "",
    "token_bound_cidrs": [],
    "token_explicit_max_ttl": 0,
    "token_max_ttl": 0,
    "token_no_default_policy": false,
    "token_num_uses": 0,
    "token_period": 0,
    "token_policies": [
      "aws_dev"
    ],
    "token_ttl": 0,
    "token_type": "default"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

My STS role (the role name is the account number where the STS is):

{
  "request_id": "f9e690b2-87d7-0b63-de4f-bda8a04a0ed5",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "sts_role": "arn:aws:iam::123456789012:role/test-assume-role-from-vault-dev"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Here is the aws policy attach to :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "iam:GetInstanceProfile",
                "iam:GetUser",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

I have also a trust relationship that allow me to do assume role in the other account.

curl -X POST "http://<URL>/v1/auth/aws/login" -d '{
    "role":"dev",
    "iam_http_request_method": "POST",
    "iam_request_url": " ",
    "iam_request_body":" ", 
    "iam_request_headers": " " }'

I wanted to use this curl command to login using aws iam auth of vault from an ec2 in the another account. I understood that it have to be encode in Base64 (https://www.vaultproject.io/api-docs/auth/aws/#iam_http_request_method) :

• iam_request_url = https://sts.amazonaws.com/
• iam_request_body = Action=GetCallerIdentity&Version=2011-06-15

Those informations give in the documentation doesn’t have to be change ?
Only “iam_request_headers” must be unique, but where can I get it ?

Hi Belmont,

Any luck with authentication,
I am also facing the same issue

Hello,

Actually, for filling the iam_http_request_method, iam_request_url, iam_request_body, iam_request_headers parameters, you will need to generate a signed GetCallerIdentity object and then send it to the Vault server via the mentioned parameters.

In order to generate that object, you can use the Python script here. It requires boto.

Here is a very well described tutorial on how the setup should work!

Regards,
Martin