Failed to perform login operation with alicloud auth plugin

[DahuK]

Describe the bug

I enabled alibaba auth and try to login with CLI cmd on guide
https://www.vaultproject.io/docs/auth/alicloud.html , but failed to login both with vault login -method=alicloud access_key=... secret_key=... security_token=... region= or the way of generating the signed request and write into auth/alicloud/login

To Reproduce

vault auth enable alicloud

firstly, I want to directly login with the STS token return from the instance metadata server, so I curl 'http://100.100.100.200/latest/meta-data/ram/security-credentials/$ROLE_NAME' on my ecs,
got the tmp ak/sk/sts token, write into auth/alicloud/role and try to login with cli:

vault write auth/alicloud/role/$ROLE_NAME arn='acs:ram::xxxxxxxxxx:role/$ROLE_NAME'

vault login -method=alicloud access_key=... secret_key=... security_token=... region=...

it failed with response as:

Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/alicloud/login
Code: 500. Errors:

• entry for role $ROLE_NAME not found

it make me confuse cause I think I have write it into auth/alicloud/role/$ROLE_NAME, and I can find it in my backend oss store, should I use some other cli cmd or write another role? please help to look if I missed any required steps.

then I try to generate the alicloud sts GetCallerIdentity request with signature and it can success request directly from browser, but still failed from vault CLI as below:

vault write auth/alicloud/login \
        role=dev-role \      
 identity_request_url=base64(URL) \   
 identity_request_headers=base64(header)

Error writing data to auth/alicloud/login: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/alicloud/login
Code: 500. Errors:

* error making upstream request: received 400 checking caller identity: {"Recommend":"https://error-center.aliyun.com/status/search?Keyword=SignatureDoesNotMatch&source=PopGw","Message":"Specified signature is not matched with our calculation. server string to sign is:POST&%!F(MISSING)&AccessKeyId%!D(MISSING)LTAITTaVB7UVqlEK%!A(MISSING)ction%!D(MISSING)GetCallerIdentity%!F(MISSING)ormat%!D(MISSING)JSON%!S(MISSING)ignatureMethod%!D(MISSING)HMAC-SHA1%!S(MISSING)ignatureNonce%!D(MISSING)MTML9E9fQUDHmrQ7WAlE7eXq3BJbLPvC%!S(MISSING)ignatureVersion%!D(MISSING)1.0%!T(MISSING)imestamp%!D(MISSING)2019-03-07T14%!A(MISSING)10%!A(MISSING)54Z%!V(MISSING)ersion%!D(MISSING)2015-04-01","RequestId":"061A9496-EE17-4B5C-A182-047DCDF3E6A0","HostId":"sts.aliyuncs.com","Code":"SignatureDoesNotMatch"}

seems the auth plugin did not request alicloud sts with valid format, so I want to know should I just base64 on url for identity_request_url, and what is the required format for identity_request_headers?

Expected behavior
It should login success and return the access token

Environment:

• Vault Server Version (retrieve with vault status):

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.0.3
Cluster Name    vault-cluster-6d4b32e9
Cluster ID      bb6a9fd4-9e13-0ca0-3daf-72a09f05f8d2
HA Enabled      false

• Vault CLI Version (retrieve with vault version):
  Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43')

• Server Operating System/Architecture:
  CentOS Linux release 7.4.1708

Vault server configuration file(s):

{
        "listener": [{
                "tcp": {
                        "address": "0.0.0.0:8200",
                        "tls_disable": 1
                }
        }],
        "api_addr": "http://xxxxx:8200",
        "storage": {
                "alicloudoss": {
                        "access_key": "xxxxxxx",
                        "secret_key": "xxxxxxxxxxxxxxxxxxx",
                        "endpoint": "oss-cn-beijing.aliyuncs.com",
                        "bucket": "vault-beijing"
                }
        },
        "max_lease_ttl": "10h",
        "default_lease_ttl": "10h",
        "ui": true
}

[DahuK]

@tyrannosaurus-becks thx

[tyrannosaurus-becks]

Hi @DahuK! Thanks for posting those steps.

For one, I don't think that when the role is getting set up, that it's getting set up the way it seems.

$ vault auth enable alicloud
Success! Enabled alicloud auth method at: alicloud/

$ export ROLE_NAME=foo
$ vault write auth/alicloud/role/$ROLE_NAME arn='acs:ram::xxxxxxxxxx:role/$ROLE_NAME'
Success! Data written to: auth/alicloud/role/foo

$ vault read auth/alicloud/role/$ROLE_NAME
Key            Value
---            -----
arn            acs:ram::xxxxxxxxxx:role/$ROLE_NAME
bound_cidrs    []
max_ttl        0s
period         0s
policies       <nil>
ttl            0s

Note that it literally shows $ROLE_NAME in the arn there, rather than foo.

[tyrannosaurus-becks]

There may be additional fixes needed in later steps, but let's start with that one first and see if it gets you where you need to go.

[DahuK]

@tyrannosaurus-becks
Thanks for your quick reply! This is the steps what I did before(I fake some characters xxxxx in my sts token and my uid), and I cloud find the arn named "acs:ram::xxxxxxxxxx:role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6" from alicloud RAM console, please take a look, thanks again!

vault write auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6 arn='acs:ram::xxxxxxxxxx:role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6'
Success! Data written to: auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6

vault login -method=alicloud access_key=STS.NHJLSwQddsRyA4ov89nZ3nwPS secret_key=8F8HeC5iRKhMY9jEyjyeF8xmxxxxxxxxxxxx security_token=CAIStQJ1q6Ft5BxxxxxxxxxxxxxJfXRoB+0Xsfkxn2pQ6P8elrRtTtpfTEmBbI4q/JkG61z/OZGeq9fuvbIdk8OmRzAdn+RrIYqADd/iRfbxJ92PCTmd5AIRrJL+cTK9JS/HVbSClZ9gaPkOQwC8dkAoLdxKJwxk2qR4XDmrQpTLCBPxhXfKB0dFoxd1jXgFiZ6y2cqB8BHT/jaYo603392veMn0Npc8YsYvC4zph7BMG/CfgHIK2X9j77xriaFIwzDDs+yGDkNZixf8aLaJq4A3clIoOfVkQPQc8qGgj6x7p+bejYL61xtWOOhOTynFXoekzY6YQrqkOtgyePOiMn6Wl4zQOsGwulkxxxxxxxx8STToagAFM0WePnTEQ42RXd8M8BicWYZKAxqoP4ompvienM96ZmOBe+F6UMfN1jAc7+EQyO41u/RnE1HTnbcJjJmsUAg//FyA2rvJY2yhA84jYOi3m+jBa3TJeBL8z4GWJ1wRdtJtGDJOdGnAraMrEeSO6zdxC+JH6BOrldYvSY3h3cVYXxQ== region=cn-beijing
Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/alicloud/login
Code: 500. Errors:

* entry for role kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6 not found

[tyrannosaurus-becks]

Interesting! What do you get when you do:

$ vault read auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6

[DahuK]

it response as:

vault read auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6
Key            Value
---            -----
arn            acs:ram::1629816869803434:role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6
bound_cidrs    []
max_ttl        0s
period         0s
policies       <nil>
ttl            0s

and the store object could be found in alicloud oss console

[DahuK]

I think the issue come from here

        roleName := ""
	roleNameIfc, ok := data.GetOk("role")
	if ok {
		roleName = roleNameIfc.(string)
	} else {
		roleName = parsedARN.RoleName
	}
	role, err := readRole(ctx, req.Storage, roleName)
	if err != nil {
		return nil, err
	}

everytime when I try to login, the roleNameIfc would return an empty string through I have not put a role as parameter, so I try to refine the checking logic and it works on my env, I created the PR as below:
hashicorp/vault-plugin-auth-alicloud#22 (comment)

please help to review it, thx!

[tyrannosaurus-becks]

@DahuK thanks for that PR. Does it solve the problem for you? If so I'll close this.

[DahuK]

Yes, it is. close this