I'm trying to set up the AWS auth method for cross account access in Vault.
I've enabled the aws auth method
vault auth enable aws
vault write auth/aws/role/dev-role auth_type=iam bound_account_id=[RemoteAccountID] inferred_entity_type=ec2_instance inferred_aws_region=us-east-1 policies=dev max_ttl=24h
vault write auth/aws/config/sts/[RemoteAccountID] sts_role=arn:aws:iam::[RemoteAccountID]:role/VaultRole
I've configured this policy on the ec2 instance on which vault runs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::[RemoteAccountID]:role/VaultRole"
]
}
]
}
I've also added the Vault account as a trusted entity to the "arn:aws:iam::[RemoteAccountID]:role/VaultRole"
which is on the ec2 instance in the account I'm trying to authenticate from.
But when I log into the instance on the remote account and call the vault login -method=aws role=dev-role
command, I get the error
error authenticating: Error making API request.
URL: PUT http://11.11.11.11:8200/v1/auth/aws/login
Code: 400. Errors:
* entry for role dev-role not found
Is there some other config that needs to be set up in order to estabish this sort of cross account authentication with Vault?
CodePudding user response:
I've replicated something similar and it works just fine.
Are you by any chance using Vault namespaces? If you are, in what namespace are you enabling the AWS auth engine and writing the role/sts config?
Try logging into the remote ec2 instance and exporting the namespace export VAULT_NAMESPACE=foo
and then re-run your vault login -method=aws role=dev-role
command.
Or just do vault login -method=aws role=dev-role -namespace=foo
If it complains about a missing header value, you might want to set one up on the master.