New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM auth_ec2 doesn't work, and seems like it can't possibly work #130
Comments
It sounds like this might be related to #108 |
Orthogonal issues. The way I read #108 is that it relates to creating and managing EC2/IAM roles from the library, as a superuser, for example.. This ticket is about what appears to be the complete lack of library support for its use as an unprivileged client, to log in using IAM. |
Vault changed the aws auth backend completely in one of the later releases and this doesn't seem to be reflected in hvac yet. |
|
|
What ive done is used requests to authenticate manually and get a token, then create an hvac client with that token. Its tedious but works |
I would love to see the relevant section of your code, @myoung34, especially if you are using the iam option for the Vault AWS authentication method rather than the ec2 method. I need to use the iam option with a Lambda function. When you said you did requests manually, did you mean by doing calls equivalent to those in https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go? |
Actually, it seems that #126 provides some code to do this outside the hvac code. |
@rberlind I use this then we just call client with the token and use some wrapped methods In our containers:
and in lambda:
|
Thanks for clarifying what you are doing @myoung34. That is interesting, but you are not using the Vault AWS iam authentication method. I was able to do that by making a modification to code provided by @ltm in #170. See my comment #170 (comment) |
It appears to me that the latest AWS auth backend expects a route of |
You raise a good point, @jeffwecan. The actual mountpoint for any Vault auth method can vary depending on how it was created with the Enable Auth Method (https://www.vaultproject.io/api/system/auth.html#enable-auth-method) or auth enable CLI command (https://www.vaultproject.io/docs/commands/auth/enable.html). This is pointed out at the top of https://www.vaultproject.io/api/auth/aws/index.html. So, one could create an instance of the AWS auth method with type ec2 at path aws-ec2 and the methods in this library that refer to /v1/auth/aws-ec2 should work fine. However, it would be much better if the methods in this library that do refer to "aws-ec2" were instead parameterized like other methods in the library to use a mount_point argument that would then be referenced in the actual call to the HTTP API instead of "aws-ec2". |
Ahh that makes total sense! In light of that, Ill see about adding a parameter to that effect (perhaps with the current hard-coded value as a default for backwards compatibility?) and see what I can come up with. |
@myoung34 your wrapper-methods worked like a charm! thanks for sharing that. |
This is ideally fixed in #181 and will be included in the next release. Feel free to reopen this issue if its not quite resolved however. |
@jeffwecan Is this update in the pip installable version of hvac? |
This issue should be closed and the fix was released in version 0.6.0 which is published on Pypi. If you're getting a "missing client token" exception it's quite possibly a configuration issue. However if you are able to provide some details and/or replication steps I'd be happy to look into your specific issue. |
Might be something really simple, but I am currently using this:
where My mistake may be not specifying the role argument? If so would the role be the one created during vault configuration by writing to |
Correct. Or at least I believe the role name defaults to the instance's AMI ID derived from the pkcs7 string:
|
How would I authenticate if I am trying to log in to a role configured in |
Nevermind, just realized I can just exclude the mounting path |
According to the Vault documentation for the iam/ec2 auth endpoints, it works like this:
https://www.vaultproject.io/docs/auth/aws.html
After un-base64-ing that, and formatting it to make it somewhat readable, it looks like:
But I'm looking through the hvac code, and auth_ec2 does none of those things.
In experimenting with it, I'm getting explosions like:
Missing client token is not what it should be responding. But then, hvac doesn't appear to actually be even trying to authenticate properly, so the server appears to be trying to authenticate it with the default (token) auth.
Does this auth_ec2 even work? Or am I missing something very obvious and fundamental?
The text was updated successfully, but these errors were encountered: