I attempted to setup vault authentication via an AWS EC2 instance as documented here: AWS - Auth Methods | Vault | HashiCorp Developer
Setup
Overall setup.
reader policy
Relevant contents of reader policy.
path “secret/" {
capabilities = [“read”, “list”]
}
path "sys/mounts/” {
capabilities = [“read”, “list”]
}
path “sys/mounts” {
capabilities = [“read”, “list”]
}
Enable AWS Auth Support
Here are the commands I issued:
vault auth enable aws
vault write auth/aws/config/client secret_key=$AWS_SECRET_ACCESS_KEY
access_key=$AWS_ACCESS_KEY_ID
vault write auth/aws/role/reader-role auth_type=ec2
bound_iam_role_arn=arn:aws:iam::1234567:role/name
policies=reader max_ttl=768h
Permission Errors
Authentication succeeded using the following command:
IDENTITY=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0)
SIGNATURE=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d ‘\n’)
vault write auth/aws/login identity=“$IDENTITY” signature=“$SIGNATURE” role=reader-role
When I attempted to get a secret I receive a 403 error “permission denied”. Odd. I found the following post Identity policy not applying with AWS IAM auth · Issue #7888 · hashicorp/vault · GitHub and created an identity:
vault read -format=json auth/aws/role/reader-role | jq -r ‘.data.role_id’ > role_id.txt
vault auth list -format=json | jq -r ‘.[“aws/”].accessor’ > accessor.txt
vault write -format=json identity/entity name=“aws” policies=“reader”
metadata=organization=“company”
metadata=team=“Development”
| jq -r “.data.id” > entity_id.txt
vault write identity/entity-alias name=$(cat role_id.txt)
canonical_id=$(cat entity_id.txt) mount_accessor=$(cat accessor.txt)
The “reader” identity is now associated with the login token. However permission errors persist. In fact the following simple command returns a 403 permission denied error:
vault token lookup
I have no idea why this is not working. I will appreciate any assistance.