Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create Vault Auth Backend Role without also enabling inferencing #378

Open
soapergem opened this issue Apr 2, 2019 · 5 comments
Open

Cannot create Vault Auth Backend Role without also enabling inferencing #378

soapergem opened this issue Apr 2, 2019 · 5 comments
Labels
bug resource/aws_auth

Comments

@soapergem
Copy link

soapergem commented Apr 2, 2019
edited
Loading

Terraform Version

Terraform v0.11.11
+ provider.aws v2.4.0
+ provider.vault v1.6.0

Affected Resource(s)

  • vault_aws_auth_backend_role

Terraform Configuration Files

provider "aws" {
  region  = "us-east-1"
}

provider "vault" {
  address = "https://vault.REDACTED.com"
  token = "REDACTED"
}

resource "vault_policy" "envconfig" {
  name   = "envconfig-reader"
  policy = "${file("envconfig-policy.hcl")}"
}

resource "vault_aws_auth_backend_role" "envconfig" {
  backend                         = "aws"
  role                            = "${vault_policy.envconfig.name}"
  auth_type                       = "iam"
  bound_iam_role_arns             = ["${aws_iam_role.envconfig.arn}"]
  bound_iam_instance_profile_arns = ["${aws_iam_instance_profile.envconfig.arn}"]
  ttl                             = 60
  max_ttl                         = 120
  policies                        = ["${vault_policy.envconfig.name}"]
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type = "Service"

      identifiers = [
        "ec2.amazonaws.com",
        "ecs.amazonaws.com",
        "lambda.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role" "envconfig" {
  name               = "envconfig-reader"
  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
}

resource "aws_iam_instance_profile" "envconfig" {
  name = "${aws_iam_role.envconfig.name}"
  role = "${aws_iam_role.envconfig.name}"
}

resource "aws_iam_role_policy_attachment" "envconfig-basic" {
  role       = "${aws_iam_role.envconfig.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "envconfig-vpc" {
  role       = "${aws_iam_role.envconfig.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

Debug Output

Link to a GitHub Gist containing the complete debug output

Expected Behavior

It should have created the vault_aws_auth_backend_role resource without problems.

Actual Behavior

It failed to create the resource, giving this error:

at least one bound parameter should be specified on the role

Steps to Reproduce

  1. terraform apply

Important Factoids

Obviously you need to point it to a real Vault server and use a real (root) token.

I noticed that if I add in both of these fields:

inferred_entity_type = "ec2_instance"
inferred_aws_region  = "us-east-1"

...then it saves the resource successfully. However I specifically don't want to add these fields. Looking at the Vault API code, it should be able to work without them. Since I already do specify two bindings (bound_iam_role_arns and bound_iam_instance_profile_arns), this would lead me to believe that this Terraform provider is calling the Vault API in a weird way.
@soapergem
Copy link
Author

Actually, I looked into this a little further and tried to create the Vault role directly from the CLI (not using Terraform). It turns out that one does need inferencing enabled to use the bind features, so I'm going to close this.

@tmccombs
Copy link

I got this same error when using config like:

resource "vault_aws_auth_backend_role" "developer" {
  backend             = vault_auth_backend.aws.path
  role                = "developer"
  auth_type           = "iam"
  bound_iam_role_arns = [var.some_role_arn]
  token_policies      = ["default", vault_policy.dev_ro.name]
}

But weirdly, if I added inferred_entity_type and inferred_aws_region it worked. Then afterwards I was able to remove inferred_entity_type, and it applied successfully.

and using the api worked as well. I think there is something weird with how terraform is using the api. Maybe something is being set to a default value that should be undefined?

@mt-milind
Copy link

I checked with vault cli, if you remove inferred_aws_region and inferred_entity_type after applying they are not removed and stay the same in the aws role.
Also I am able to create the role just fine using vault cli without providing the above two fields.
Can we open the issue again

@fairclothjm fairclothjm reopened this Aug 15, 2023
@fairclothjm
Copy link
Contributor

fairclothjm commented Aug 15, 2023
edited
Loading

We may need to make inferred_aws_region and inferred_entity_type Computed as well as check that all create and update paths work as they should.

@Conacious
Copy link

I'm hitting the same issue today. I have the same results as mentioned here #378 (comment)

When configuring via vault-cli everything works as expected and I can authenticate using the vault cli. However, when I do it using Terraform I get an error:

failed to verify MyRole as a valid EC2 instance in region eu-central-1: error fetching description for instance ID "MyRole"

And of course, I can't remove the parameters inferred_aws_region or inferred_entity_type making it impossible to configure this via Terraform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug resource/aws_auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tmccombs @soapergem @fairclothjm @Conacious @mt-milind