AWS assumerole with context (my use case pass tags with role assumption) #7960
Labels
Comments
hsimon-hashicorp
added
the
community-sentiment
harsimranmaan
added a commit
to harsimranmaan/vault
that referenced
this issue
Jan 24, 2023
It is now possible to set the AWS session tags and external id when assuming an IAM role
via STS AssumeRole.
Here's an example setup
AWS Role - Trust relationship needs the `sts:TagSession` permission set as described in
```bash
vault secrets enable aws
vault write aws/config/root access_key=<key> secret_key=<secret> region=us-west-2
vault write aws/roles/my-role credential_type=assumed_role max_sts_ttl=1h role_arns="arn:aws:iam::000000000000:role/test" session_tags="department=eng" session_tags="project=p1" external_id=123
```
Read the role definition
```
vault read aws/roles/my-role
Key Value
--- -----
credential_type assumed_role
default_sts_ttl 0s
external_id 123
iam_groups <nil>
iam_tags <nil>
max_sts_ttl 1h
permissions_boundary_arn n/a
policy_arns <nil>
policy_document n/a
role_arns [arn:aws:iam::000000000000:role/test]
session_tags map[department:eng project:p1]
user_path n/a
```
```bash
vault read aws/sts/my-role
Key Value
--- -----
access_key XXXX
arn arn:aws:sts::000000000000:assumed-role/test/vault-token-my-role-1674516375-mBKZQssrwtP6gl3kbmWq
secret_key XXX
security_token XXX
ttl 59m59s
```
The cloudtrail for AssumeRole looks like
```
"userIdentity": {
"type": "IAMUser",
"principalId": "XXX",
"arn": "arn:aws:iam::000000000000:user/vault-user",
"accountId": "000000000000",
"accessKeyId": "XXX",
"userName": "vault-user"
},
"eventTime": "2023-01-23T23:31:12Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "XXX",
"userAgent": "aws-sdk-go/1.44.128 (go1.19.5; darwin; arm64)",
"requestParameters": {
"roleArn": "arn:aws:iam::000000000000:role/test",
"roleSessionName": "vault-token-my-role-1674516375",
"durationSeconds": 3600,
"tags": [
{
"key": "department",
"value": "eng"
},
{
"key": "project",
"value": "p1"
}
],
"externalId": "123"
},
...
```
When using the creds are used for accessing an S3 resource with Attribute-based Access Control (ABAC), you can now see that only requests with principalTag project=p1 are allowed while requests to path p2 are denied.
```
aws s3 cp a.txt s3://session-tags-test/p1/a.txt
upload: ./a.txt to s3://session-tags-test/p1/a.txt
➜ ~ aws s3 cp a.txt s3://session-tags-test/p2/a.txt
upload failed: ./a.txt to s3://session-tags-test/p2/a.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
```
The IAM policy had the following block in the above case
```
{
"Action": [
"s3:Describe*",
"s3:Get*",
"s3:List*",
"s3:PutObject*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::session-tags-test/${aws:PrincipalTag/project}/*",
"arn:aws:s3:::session-tags-test/${aws:PrincipalTag/project}"
]
}
```
Troubleshooting:
Error:
```
Error assuming role: AccessDenied: User: arn:aws:iam::000000000000:user/vault-user is not authorized to perform: sts:TagSession on resource: arn:aws:iam::000000000000:role/test
status code: 403, request id: ba8ab60e-2fdf-4668-81ad-5fe83e9b898e
```
Remedy: Assign the `sts:TagSession` permission to the `arn:aws:iam::000000000000:role/test`. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required
Error:
```
* Error assuming role: AccessDenied: User: arn:aws:iam::000000000000:user/vault-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/test
status code: 403, request id: c0117588-9c84-490d-9b36-91135545dec1
```
Remedy: If the external ID is set, follow https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html to ensure that external ID matches the ID set on the role. If you have not added the externalID condition on the role, it would not affect the assume role operation when an external ID is set only in Vault.
This change does not add support for transitive keys but it should be simple to add it in the future.
Closes hashicorp#3790 hashicorp#7960
harsimranmaan
added a commit
to harsimranmaan/vault
that referenced
this issue
Jan 24, 2023
It is now possible to set the AWS session tags and external id when assuming an IAM role via STS AssumeRole. Here's an example setup AWS Role - Trust relationship needs the `sts:TagSession` permission set as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required ```bash vault secrets enable aws vault write aws/config/root access_key=<key> secret_key=<secret> region=us-west-2 vault write aws/roles/my-role credential_type=assumed_role max_sts_ttl=1h role_arns="arn:aws:iam::000000000000:role/test" session_tags="department=eng" session_tags="project=p1" external_id=123 ``` Read the role definition ``` vault read aws/roles/my-role Key Value --- ----- credential_type assumed_role default_sts_ttl 0s external_id 123 iam_groups <nil> iam_tags <nil> max_sts_ttl 1h permissions_boundary_arn n/a policy_arns <nil> policy_document n/a role_arns [arn:aws:iam::000000000000:role/test] session_tags map[department:eng project:p1] user_path n/a ``` ```bash vault read aws/sts/my-role Key Value --- ----- access_key XXXX arn arn:aws:sts::000000000000:assumed-role/test/vault-token-my-role-1674516375-mBKZQssrwtP6gl3kbmWq secret_key XXX security_token XXX ttl 59m59s ``` The cloudtrail for AssumeRole looks like ``` "userIdentity": { "type": "IAMUser", "principalId": "XXX", "arn": "arn:aws:iam::000000000000:user/vault-user", "accountId": "000000000000", "accessKeyId": "XXX", "userName": "vault-user" }, "eventTime": "2023-01-23T23:31:12Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRole", "awsRegion": "us-east-1", "sourceIPAddress": "XXX", "userAgent": "aws-sdk-go/1.44.128 (go1.19.5; darwin; arm64)", "requestParameters": { "roleArn": "arn:aws:iam::000000000000:role/test", "roleSessionName": "vault-token-my-role-1674516375", "durationSeconds": 3600, "tags": [ { "key": "department", "value": "eng" }, { "key": "project", "value": "p1" } ], "externalId": "123" }, ... ``` When using the creds are used for accessing an S3 resource with Attribute-based Access Control (ABAC), you can now see that only requests with principalTag project=p1 are allowed while requests to path p2 are denied. ``` aws s3 cp a.txt s3://session-tags-test/p1/a.txt upload: ./a.txt to s3://session-tags-test/p1/a.txt ➜ ~ aws s3 cp a.txt s3://session-tags-test/p2/a.txt upload failed: ./a.txt to s3://session-tags-test/p2/a.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied ``` The IAM policy had the following block in the above case ``` { "Action": [ "s3:Describe*", "s3:Get*", "s3:List*", "s3:PutObject*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::session-tags-test/${aws:PrincipalTag/project}/*", "arn:aws:s3:::session-tags-test/${aws:PrincipalTag/project}" ] } ``` Troubleshooting: Error: ``` Error assuming role: AccessDenied: User: arn:aws:iam::000000000000:user/vault-user is not authorized to perform: sts:TagSession on resource: arn:aws:iam::000000000000:role/test status code: 403, request id: ba8ab60e-2fdf-4668-81ad-5fe83e9b898e ``` Remedy: Assign the `sts:TagSession` permission to the `arn:aws:iam::000000000000:role/test`. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required Error: ``` * Error assuming role: AccessDenied: User: arn:aws:iam::000000000000:user/vault-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/test status code: 403, request id: c0117588-9c84-490d-9b36-91135545dec1 ``` Remedy: If the external ID is set, follow https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html to ensure that external ID matches the ID set on the role. If you have not added the externalID condition on the role, it would not affect the assume role operation when an external ID is set only in Vault. This change does not add support for transitive keys but it should be simple to add it in the future. Closes hashicorp#3790 hashicorp#7960
harsimranmaan
added a commit
to harsimranmaan/vault
that referenced
this issue
Aug 3, 2023
It is now possible to set the AWS session tags and external id when assuming an IAM role via STS AssumeRole. Here's an example setup AWS Role - Trust relationship needs the `sts:TagSession` permission set as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required ```bash vault secrets enable aws vault write aws/config/root access_key=<key> secret_key=<secret> region=us-west-2 vault write aws/roles/my-role credential_type=assumed_role max_sts_ttl=1h role_arns="arn:aws:iam::000000000000:role/test" session_tags="department=eng" session_tags="project=p1" external_id=123 ``` Read the role definition ``` vault read aws/roles/my-role Key Value --- ----- credential_type assumed_role default_sts_ttl 0s external_id 123 iam_groups <nil> iam_tags <nil> max_sts_ttl 1h permissions_boundary_arn n/a policy_arns <nil> policy_document n/a role_arns [arn:aws:iam::000000000000:role/test] session_tags map[department:eng project:p1] user_path n/a ``` ```bash vault read aws/sts/my-role Key Value --- ----- access_key XXXX arn arn:aws:sts::000000000000:assumed-role/test/vault-token-my-role-1674516375-mBKZQssrwtP6gl3kbmWq secret_key XXX security_token XXX ttl 59m59s ``` The cloudtrail for AssumeRole looks like ``` "userIdentity": { "type": "IAMUser", "principalId": "XXX", "arn": "arn:aws:iam::000000000000:user/vault-user", "accountId": "000000000000", "accessKeyId": "XXX", "userName": "vault-user" }, "eventTime": "2023-01-23T23:31:12Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRole", "awsRegion": "us-east-1", "sourceIPAddress": "XXX", "userAgent": "aws-sdk-go/1.44.128 (go1.19.5; darwin; arm64)", "requestParameters": { "roleArn": "arn:aws:iam::000000000000:role/test", "roleSessionName": "vault-token-my-role-1674516375", "durationSeconds": 3600, "tags": [ { "key": "department", "value": "eng" }, { "key": "project", "value": "p1" } ], "externalId": "123" }, ... ``` When using the creds are used for accessing an S3 resource with Attribute-based Access Control (ABAC), you can now see that only requests with principalTag project=p1 are allowed while requests to path p2 are denied. ``` aws s3 cp a.txt s3://session-tags-test/p1/a.txt upload: ./a.txt to s3://session-tags-test/p1/a.txt ➜ ~ aws s3 cp a.txt s3://session-tags-test/p2/a.txt upload failed: ./a.txt to s3://session-tags-test/p2/a.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied ``` The IAM policy had the following block in the above case ``` { "Action": [ "s3:Describe*", "s3:Get*", "s3:List*", "s3:PutObject*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::session-tags-test/${aws:PrincipalTag/project}/*", "arn:aws:s3:::session-tags-test/${aws:PrincipalTag/project}" ] } ``` Troubleshooting: Error: ``` Error assuming role: AccessDenied: User: arn:aws:iam::000000000000:user/vault-user is not authorized to perform: sts:TagSession on resource: arn:aws:iam::000000000000:role/test status code: 403, request id: ba8ab60e-2fdf-4668-81ad-5fe83e9b898e ``` Remedy: Assign the `sts:TagSession` permission to the `arn:aws:iam::000000000000:role/test`. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required Error: ``` * Error assuming role: AccessDenied: User: arn:aws:iam::000000000000:user/vault-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/test status code: 403, request id: c0117588-9c84-490d-9b36-91135545dec1 ``` Remedy: If the external ID is set, follow https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html to ensure that external ID matches the ID set on the role. If you have not added the externalID condition on the role, it would not affect the assume role operation when an external ID is set only in Vault. This change does not add support for transitive keys but it should be simple to add it in the future. Closes hashicorp#3790 hashicorp#7960
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Request:
AWS Assume Role can take session tags to be AWS Principal Tags. Adding this to Vault would allow us to pass attributes to AWS to better implement attribute based access control. Can this be implemented and an interface to map attributes from the auth backend (our case ldap) to tags to pass?
This part of the assumerole api is much trickier to account for than taking policy arns. Passing tag keys and their values would be tedious for normal users but if the interface that assumes the role can take the tags map from some attribute mapping it should be able to pass them by default.
Ultimately the workflow for us would be users don't pass their attributes but they would be appended by some method to temp access key requests (i.e assumerole.)
Environment:
Vault Config File:
Startup Log Output:
Expected Behavior:
Actual Behavior:
Steps to Reproduce:
Important Factoids:
References:
The text was updated successfully, but these errors were encountered: