Hi, please could you assist with the following behaviour in Vault?
I’m not sure if this is a bug or just a config issue
Client config:
/ $ vault read auth/aws/config/client
Key Value
--- -----
access_key n/a
allowed_sts_header_values <nil>
endpoint n/a
iam_endpoint n/a
iam_server_id_header_value n/a
max_retries -1
sts_endpoint https://sts.us-east-1.amazonaws.com
sts_region us-east-1
use_sts_region_from_client true
Using the client config above we receive the error:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method.
Our request headers contain the following:
...
[host, sts.us-east-1.amazonaws.com],
...
[Authorization, AWS4-HMAC-SHA256 Credential=..../us-east-1/sts/aws4_request, SignedHeaders=conte...
If I change our request headers to
[host, sts.amazonaws.com],
I do not see the error and the request completes successfully
There are quite a few related issues in GitHub but nothing to help resolve this issue (as you can see I’ve applied the sts_endpoint and sts_region configurations)
Our configured roles use iam
as the auth_type
and have bound_iam_principal_arn
and bound_iam_principal_id
set
If this wasn’t working using the global STS host I would think I was missing some additional client config e.g. iam_endpoint
Can anyone suggest something to help with this issue?