Unable to create/update AWS authentication role after 1.17.0 - unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found

[agcorreatech]

Describe the bug
Unable to create/update AWS authentication role after 1.17.0
Error: unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found

To Reproduce
Steps to reproduce the behavior:

1. Try to create/update AWS Auth Role after update to version 1.17.0:

$ vault write auth/aws/role/app-dev-role bound_iam_principal_arn="arn:aws:iam::123456789123:role/role-lambda"

Error writing data to auth/aws/role/app-dev-role: Error making API request.
URL: PUT https://vault.dev/v1/auth/aws/role/app-dev-role
Code: 400. Errors:

* unable to resolve ARN "arn:aws:iam::123456789123:role/role-lambda" to internal ID: InvalidParameter: 1 validation error(s) found. - minimum field size of 2, AssumeRoleInput.ExternalId.

2. Read the STS Configuration:

$ vault read auth/aws/config/sts/123456789123
Key         Value
---         -----
sts_role    arn:aws:iam::123456789123:role/vault-dev

3. As an alternative solution, the external_id parameter was defined in the STS configuration (this parameter should be optional, but in this case seems it's not):

vault write auth/aws/config/sts/123456789123 sts_role=arn:aws:iam::123456789123:role/vault-dev external_id="123"
Success! Data written to: auth/aws/config/sts/123456789123

$ vault read auth/aws/config/sts/123456789123
Key            Value
---            -----
external_id    123
sts_role       arn:aws:iam::123456789123:role/vault-dev

4. After defining this parameter, it was possible to configure the AWS authentication role:

vault write auth/aws/role/app-dev-role bound_iam_principal_arn="arn:aws:iam::123456789123:role/role-lambda"
Success! Data written to: auth/aws/role/app-dev-role

5. After updating the authentication role, the external_id parameter was removed from the STS configuration:

vault write auth/aws/config/sts/123456789123 sts_role=arn:aws:iam::123456789123:role/vault-dev external_id=""
Success! Data written to: auth/aws/config/sts/123456789123

vault read auth/aws/config/sts/123456789123
Key         Value
---         -----
sts_role    arn:aws:iam::123456789123:role/vault-dev

6. After removing the parameter external_id, it was possible to configure the AWS authentication role again (meaning that it correctly assumed the destination role):

vault write auth/aws/role/app-dev-role bound_iam_principal_arn="arn:aws:iam::123456789123:role/role-lambda"
Success! Data written to: auth/aws/role/app-dev-role

Expected behavior
After upgrading to version 1.17.0, the STS configuration requires the external_id parameter to be defined (even though it is defined in the documentation as an optional parameter). It is not possible to make changes to AWS authentication roles for accounts that already have the STS configuration defined.

Environment:

• Vault Server Version (retrieve with vault status): 1.17.0
• Vault CLI Version (retrieve with vault version): 1.17.0
• Server Operating System/Architecture: Amazon Linux 2

[agcorreatech]

Possible offending update in version 1.17.0 is this:
auth/aws: add support for external_ids in AWS assume-role [GH-26628]

[jskilton]

This broke for us too. 1.17 can no longer use the standard STS and assume role to use AWS AUTH engine.
I had to put this into my TERRAFORM to create the AWS AUTH endpoints and STS roles, as the current HASHI TF provider does not even have "external_id" as a valid field for the STS backend config. (you can do it with the CLI, but not with the TF provider.)

I used the GENERIC to add the external_id to the STS config to get it working again.

`resource "vault_generic_endpoint" "aws" {
count = local.aws.enabled == "true" ? length(local.aws.accounts) : 0
depends_on = [vault_aws_auth_backend_sts_role.role]
path = "auth/aws/config/sts/${local.aws.accounts[count.index]}"
ignore_absent_fields = true

data_json = <<EOT
{
"external_id": "123"
}
EOT
}`

[Sayrus]

Hitting this issue as well, and with the same issue as @jskilton on the Terraform Provider. Overwriting the auth role to add external_id manually even if not required by the target STS fixes the issue.

The associated STS role must be configured to require the external ID.

So either the must here is a should, or there is another bug hidden that make it works.

I followed the code in the linked MR a bit, and shouldn't the default value passed to AWS here be nil if the value is unset instead of empty string? (https://github.com/aws/aws-sdk-go/blob/main/aws/credentials/stscreds/assume_role_provider.go#L162)

[PJ1288]

We are hitting the same issue with 1.17+ versions.
IAM client: InvalidParameter: 1 validation error(s) found. - minimum field size of 2, AssumeRoleInput.ExternalId.

[micolun]

Same here with Vault 1.17.1 after upgrading it from 1.16.2
I am using Vault terraform provider and logging in with AWS assumed role

│ Error: Error making API request.
│ 
│ URL: PUT https://vault-test.example.com/v1/auth/aws/master/login
│ Code: 400. Errors:
│ 
│ * error looking up full ARN of entity &{aws 1234567890123 assumed-role  AWSReservedSSO_AdministratorAccess_3497746d3cd20e29 micolun} when attempting login for role "1234567890123": error creating IAM client: InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 2, AssumeRoleInput.ExternalId.

This is not the first Vault issue related to AWS auth method I encountered.
AWS assumed roles are poorly supported in Vault.

[KalenWessel]

Currently on Vault 1.17.2 and also hitting the same issue with AWS auth:

minimum field size of 2, AssumeRoleInput.ExternalId.

Once I manually added the external_id authentication worked.

vault write auth/aws/config/sts/123456789 sts_role=arn:aws:iam::123456789:role/vault-cross-account external_id="123"

Thanks #27765 (comment) for the suggestion. Would have been nice if the vault_aws_auth_backend_sts_role resource supported external_id

[ttruong-actian]

same issues for me

* unable to resolve ARN "arn:aws:iam::<accountId>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_aws-account-user_530707c917121354" to internal ID: InvalidParameter: 1 validation error(s) found.
- minimum field size of 2, AssumeRoleInput.ExternalId.

[biazmoreira]

Hi,

The fix for this has been merged and will be included in the next release. #27858

Thank you for flagging this!