Set region parameter to be used for STS only on AWS secrets engine #22726
Conversation
|
|
There was a problem hiding this comment.
Today, without iam_endpoint and sts_endpoint set, there is no problem rotating root credentials with the region parameter set. I understand that IAM is a global service, but I'm worried that this has the potential to change behavior for most of our users.
Would you mind clarifying whether #22602 is a bug or feature request? If it's a bug, reproduction steps would be needed. I don't want to risk behavior changes for the rest of our users for what seems like an uncommon configuration (with the proxying of all STS traffic).
builtin/logical/aws/client.go
Outdated
| @@ -36,22 +36,21 @@ func getRootConfig(ctx context.Context, s logical.Storage, clientType string, lo | |||
|
|
|||
| credsConfig.AccessKey = config.AccessKey | |||
| credsConfig.SecretKey = config.SecretKey | |||
There was a problem hiding this comment.
This seems like it would change behavior for configurations that explicitly set the region and don't set iam_endpoint or sts_endpoint?
There was a problem hiding this comment.
Uploaded the following commit to address this: 51aee8e
Thank you @austingebauer.
{
"access_key": "xxxxxxx",
"secret_key": "xxxxxxx",
"iam_endpoint": "https://iam.example.proxy.com",
"sts_endpoint": "https://sts.example.proxy.com",
"region": "eu-west-1"
}
{
"credential_type": "assumed_role",
"role_arns": "arn:aws:iam::xxxxxxx:role/xxxxxx"
}
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
$VAULT_ADDR/v1/aws/creds/<roleName>
curl -sX POST --header "X-Vault-Token: ${VAULT_TOKEN}" $VAULT_ADDR/v1/aws/config/rotate-rootYou will get this error: {"errors":["1 error occurred:\n\t* error calling GetUser: SignatureDoesNotMatch: Credential should be scoped to a valid region.\n\tstatus code: 403, request id: xxxxxxxxxxxxx\n\n"]}Why? As we can see here, the "eu-west-1" region is being used when you call the sts service with "aws/creds/" which is fine. However, it is also being used when calling the iam service with "aws/config/rotate-root"; this is incorrect because iam is a global service which (in this case) means the same as using the "us-east-1" region, which is clearly not the same as "eu-west-1" and therefore causes an error. A custom region can be used for sts calls but not for iam calls. Furthermore, if we try it the other way around, i.e. leaving the region empty, this happens:
{
"access_key": "xxxxxxx",
"secret_key": "xxxxxxx",
"iam_endpoint": "https://iam.example.proxy.com",
"sts_endpoint": "https://sts.example.proxy.com"
}
{"errors":["Error assuming role: SignatureDoesNotMatch: Credential should be scoped to a valid region.\n\tstatus code: 403, request id: xxxxxxxxxxxxxxxxxx"]}
{"request_id":"xxxxxxxxxxxxxxxxx","lease_id":"","renewable":false,"lease_duration":0,"data":{"access_key":"xxxxxxxxx"},"wrap_info":null,"warnings":null,"auth":null}Now it is happening the other way around, the region is defaulting to "us-east-1" (same as global) and therefore the iam service works, but our sts service which is located in "eu-west-1" does not. |
|
Hi @GBT55 - Taking a look at this again and have some questions.
This is not the behavior that I'm seeing when For example, like: The |
|
Hi @austingebauer we have been investigating further if it was our proxy's fault due to incorrect configuration, but we don't think so.
We have tested it and we are also able to rotate the credentials successfully. The problem comes when specifying ANY endpoint AND a region other than
This behaviour is exactly the same on our VMs that go through our proxy Why is Case 4 working but Case 2 isn't, both should be the same right? credsConfig.AccessKey = config.AccessKey
credsConfig.SecretKey = config.SecretKey
credsConfig.Region = config.Region
maxRetries = config.MaxRetries
switch {
case clientType == "iam" && config.IAMEndpoint != "":
endpoint = *aws.String(config.IAMEndpoint)
case clientType == "sts" && config.STSEndpoint != "":
endpoint = *aws.String(config.STSEndpoint)
}We have found a possible solution. We understand that more people may be using the region parameter and changing it may result in unexpected behavior, so we propose to create a new parameter for credsConfig.AccessKey = config.AccessKey
credsConfig.SecretKey = config.SecretKey
credsConfig.Region = config.Region
maxRetries = config.MaxRetries
switch {
case clientType == "iam" && config.IAMEndpoint != "":
endpoint = *aws.String(config.IAMEndpoint)
case clientType == "sts" && config.STSEndpoint != "":
endpoint = *aws.String(config.STSEndpoint)
if config.STSRegion != "" {
credsConfig.Region = config.STSRegion
}
}We have already tested and compiled Vault with this change and all 4 cases are working correctly. If you give me the ok I will commit the changes to this PR. |
|
@GBT55 - Thanks for doing the detailed analysis! The table is really helpful. I'm good on moving forward with the |
|
Hi @austingebauer! Sorry for the delay in replying. I just uploaded the commit with the changes I told you about, just so you know. |
This PR aims to fix the following issue: #22602
We thought that having the
sts_regionparameter might be the solution. However, we have opted for a different approach and with this change now, the AWS engine region parameter will only affect STS API requests, and not IAM requests such as rotating the root IAM credential (which was our main problem).Also, the IAM endpoint on AWS is global, so it doesn't make a lot of sense to use a specific region on the request because it will most likely fail, causing the above issue we described.