Problem with AWS EC2 Authentication

I attempted to setup vault authentication via an AWS EC2 instance as documented here: AWS - Auth Methods | Vault by HashiCorp

Setup

Overall setup.

reader policy

Relevant contents of reader policy.

path “secret/" {
capabilities = [“read”, “list”]
}
path "sys/mounts/
” {
capabilities = [“read”, “list”]
}
path “sys/mounts” {
capabilities = [“read”, “list”]
}

Enable AWS Auth Support

Here are the commands I issued:

vault auth enable aws
vault write auth/aws/config/client secret_key=$AWS_SECRET_ACCESS_KEY
access_key=$AWS_ACCESS_KEY_ID
vault write auth/aws/role/reader-role auth_type=ec2
bound_iam_role_arn=arn:aws:iam::1234567:role/name
policies=reader max_ttl=768h

Permission Errors

Authentication succeeded using the following command:

IDENTITY=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0)
SIGNATURE=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d ‘\n’)
vault write auth/aws/login identity=“$IDENTITY” signature=“$SIGNATURE” role=reader-role

When I attempted to get a secret I receive a 403 error “permission denied”. Odd. I found the following post Identity policy not applying with AWS IAM auth · Issue #7888 · hashicorp/vault · GitHub and created an identity:

vault read -format=json auth/aws/role/reader-role | jq -r ‘.data.role_id’ > role_id.txt
vault auth list -format=json | jq -r ‘.[“aws/”].accessor’ > accessor.txt
vault write -format=json identity/entity name=“aws” policies=“reader”
metadata=organization=“company”
metadata=team=“Development”
| jq -r “.data.id” > entity_id.txt
vault write identity/entity-alias name=$(cat role_id.txt)
canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor.txt)

The “reader” identity is now associated with the login token. However permission errors persist. In fact the following simple command returns a 403 permission denied error:

vault token lookup

I have no idea why this is not working. I will appreciate any assistance.

I just figured it out. For anyone else that stumbles across this post, the vault write auth/aws/login command does not set the vault token internally like the vault login command. Therefore the correct command should have been:

export VAULT_TOKEN=“$(vault write -field=token auth/aws/login identity=”$IDENTITY" signature=“$SIGNATURE” role=reader-role)"