Vault AWS Auto Auth - “client nonce mismatch and instance meta-data incorrect”

I was following the Vault Agent with AWS documentation and it workes fine until I restart the service or reboot the instance. Any ideas on how I can overcome this problem?

vault agent configuration file vault_agent.hcl :

pid_file = "./pidfile"

vault {
    address = "http://vault-server:8200"
    retry {
        num_retries = 5

listener "tcp" {
    address  = "{{ ansible_ssh_host }}:8200"
    cluster_address = "{{ ansible_ssh_host }}:8201"
    tls_disable = 1

auto_auth {
    method "aws" {
    mount_path = "auth/aws/project"
    config = {
        type = "ec2"
        role = "test-role"

    cache {
        use_auto_auth_token = true

    sink "file" {
        config = {
            path = "/tmp/test"


Now the login works without problem.


vault login


Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                            Value
---                            -----
token                          xxx
token_accessor                 xxx
token_duration                 46s
token_renewable                true
token_policies                 ["admin-role" "default"]
identity_policies              []
policies                       ["admin-role" "default"]
token_meta_account_id          xxx
token_meta_auth_type           ec2
token_meta_role                test-role
token_meta_role_tag_max_ttl    0s

However, if I restart the agent or reboot the ec2 instance I can’t authunticate anymore:

* client nonce mismatch and instance meta-data incorrect" backoff=1s
[INFO]  auth.handler: authenticating
[ERROR] auth.handler: error authenticating: error="Error making API request.

The tutorial is setting up IAM Auth. If you’re using EC2 auth, you need to manage the client_nonce (see Client Nonce for more detail). If you can use IAM Auth that’s usually preferable, however.

1 Like