Hey Everyone!
We have an issue that is a real blocker for us in terms of scale.
We have AWS Lambdas that use Vault Layer to authenticate with Vault and read secrets from it. (https://developer.hashicorp.com/vault/docs/platform/aws/lambda-extension)
We use Terraform to generate an AWS vault role with an assigned AWS role arn to allow lambda to authenticate.
It works like this:
- The developer created AWS Role in AWS. Let’s say the role name will be: hospital-role
- Then we add this role to vault with terraform:
resource "vault_aws_auth_backend_role" "hospital-role" {
backend = vault_auth_backend.aws_dev_auth.path
role = "hospital-role"
auth_type = "iam"
bound_iam_principal_arns = ["arn:aws:sts::***:role/hospital-role"]
resolve_aws_unique_ids = false
token_ttl = var.lambda_default_token_ttl
token_max_ttl = var.lambda_default_max_token_ttl
token_policies = ["hospital-role"]
}
After lambda is deployed it is authenticated and everything works perfectly.
The problem is that we have multiple service/ lambdas per service, which means creating a role per lambda. It is a lot of roles. The way to simplify it is to assign one role to multiple lambdas.
This can be done with a feature that Vault supports, which is role arn wildcard.
https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_role
The Docs says:
bound_iam_principal_arns- (Optional) If set, defines the IAM principal that must be authenticated whenauth_typeis set toiam. Wildcards are supported at the end of the ARN.
Another Doc here: https://developer.hashicorp.com/vault/api-docs/auth/aws
Wildcards are supported at the end of the ARN, e.g., “arn:aws:iam::123456789012:" will match any IAM principal in the AWS account 123456789012. Wildcards are supported at the end of the ARN, e.g., "arn:aws:iam::123456789012:role/” will match all roles in the AWS account…
These are all examples that I found. So back to our role.
We have role:
resource "vault_aws_auth_backend_role" "CDKRoleDev" {
backend = vault_auth_backend.aws_dev_auth.path
role = "CDKRoleDev"
auth_type = "iam"
bound_iam_principal_arns = ["arn:aws:sts::***:role/CDKRoleDev-*"]
resolve_aws_unique_ids = false
token_ttl = var.lambda_default_token_ttl
token_max_ttl = var.lambda_default_max_token_ttl
token_policies = ["CDKRoleDev"]
}
And we have a real cloud role attached to lambda.
CDKRoleDev-PLACEHOLDERPlaceholder…
After Lambda starts it throws an error:
| * entry for role CDKRoleDev-PLACEHOLDERPlaceholder... not found
Screenshot of the same error for a different role.
We tried tons of times and different namings and conditions, and none of them worked. All of them throw the same error. And yes account reference in the role is correct, we checked 
If we use use regular role without a wildcard it also works. So it is not a connection issue overall.
If somebody has any guesses on what could be an issue, really appreciate your help.
Thanks!
