Try to use vault-lambda-extension access Vault Cloud (HCP) got Access Denied


  1. after configure account and STS role with lambda, Vault aws/auth, Vault STS Do I need more configure?
  2. when access HCP using lambda do I need token for an access?


  • STS Account.
  • Use python as lambda
  • Vault cloud locate at US region
  • my lambda run at Singapore region “ap-southeast-1”

config policy

# List, create, update, and delete key/value secrets
path "secret/*"
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

config aws role

Key                               Value
---                               -----
allow_instance_migration          false
auth_type                         iam
bound_account_id                  []
bound_ami_id                      []
bound_ec2_instance_id             <nil>
bound_iam_instance_profile_arn    []
bound_iam_principal_arn           [arn:aws:iam::999999999999:role/TTLAssumeRoleForLambdaSftpAuthen]
bound_iam_principal_id            [AROAVNP2OSEHVCCCQ22PL]
bound_iam_role_arn                []
bound_region                      []
bound_subnet_id                   []
bound_vpc_id                      []
disallow_reauthentication         false
inferred_aws_region               n/a
inferred_entity_type              n/a
max_ttl                           1h
resolve_aws_unique_ids            true
role_id                           cd9949b8-4f6e-a3e4-21cf-0e799d45d37c
role_tag                          n/a
token_bound_cidrs                 []
token_explicit_max_ttl            0s
token_max_ttl                     1h
token_no_default_policy           false
token_num_uses                    0
token_period                      0s
token_policies                    []
token_ttl                         0s
token_type                        default