HashiCorp Discuss

Rotate-root for aws auth backend not working

danieldethloff1993 July 29, 2021, 9:25am 1

Hi,

i couldn’t get root credentail rotation working. My initial step is to activate aws auth

vault auth enable aws

now i configure root credentials

vault write /auth/aws/config/client access_key=XXXXXXXXXXXXX secret_k
ey=xxxxxxxxxxxxxxxxxxx

and after that i want to perform the root-rotation

vault write -force /auth/aws/config/rotate-root

the operation is successfully but the access_key in

vault read auth/aws/config/client

still remains the same from initial setup step.
So this distroys my aws access due to the access_key shown by this call has been deleted by the rotation call.
Does anyone have an idea what I’m doing wrong?

My Setup:
Environment: VM on barematel machine
Vault Version: 1.7.2 (also tested with 1.8.0)
OS: CentOS 7.9.2009
Storage Backend: Consul Version 1.9.6

The AWS policy should be right, because the credentials were rotating.

Thanks, regards Daniel

danieldethloff1993 August 19, 2021, 6:21am 2

Does nobody have an idea whats wrong with the rotate-root for aws auth method in combination with static credentials in client config?

iiro.niinikoski October 20, 2021, 9:18pm 3

Hi @danieldethloff1993 - I just bumped into this one: Fix auth/aws so that config/rotate-root saves new key pair to vault by ludewigh · Pull Request #12715 · hashicorp/vault · GitHub - so a fix is rolling out - if I’ve understood correctly.

Yours,

Iiro

Topic		Replies	Views	Activity
Rotating AWS Credentials (Root & auth/aws) Vault	3	1751	July 24, 2022
What happens to client requests while AWS root IAM credentials are being rotated? Vault	0	260	July 21, 2020
[Feedback wanted] Securely Configure AWS Backend Credentials (Terraform) Vault vault	0	275	April 10, 2022
AWS iam key rotation Vault	0	212	January 3, 2023
Automate Database and AWS Secret Engine root credential rotation Vault	2	291	July 20, 2020