New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to generate_credentials() for an AWS secret engine STS endpoint #930
Comments
Hi @sunchill06 , I'd like to clarify what's being attempted here and what's going wrong. It seems like you're calling |
HI @briantist , Thanks for reverting. Yeah I am trying to pass |
@sunchill06 thanks very much for this report. I think I have a fix that will work for it. We unfortunately do not have good test coverage against the AWS engine since we do not have an AWS environment to test against in CI. Would you be able to test out this fix? You should be able to install this (perhaps into a virtual environment is a good idea) by installing off of my branch. This might work:
Let me know if that works for you, thanks! |
Hi @briantist, Thanks for helping out here. I can see that its working fine now, provided that I pass the {
"errorMessage": "Error assuming role: InvalidParameter: 1 validation error(s) found.\n- minimum field value of 900, AssumeRoleInput.DurationSeconds.\n, on put https://vault.endpoint.com/v1/aws/sts/vault-policy",
"errorType": "InvalidRequest",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 54, in lambda_handler\n print(hvac.api.secrets_engines.Aws.generate_credentials(client, 'vault_aws_secret_role', role_arn='arn:aws:iam::1234567890:role/VaultAssumeRoleDummy', endpoint='sts', ttl='3600s'))\n",
" File \"/var/task/hvac/api/secrets_engines/aws.py\", line 397, in generate_credentials\n params=params,\n",
" File \"/var/task/hvac/adapters.py\", line 139, in put\n return self.request(\"put\", url, **kwargs)\n",
" File \"/var/task/hvac/adapters.py\", line 369, in request\n response = super().request(*args, **kwargs)\n",
" File \"/var/task/hvac/adapters.py\", line 336, in request\n method, url, response.status_code, text, errors=errors\n",
" File \"/var/task/hvac/utils.py\", line 36, in raise_for_error\n raise exceptions.InvalidRequest(message, errors=errors, method=method, url=url)\n"
]
} |
Thanks @sunchill06 that's weird. The default is also specified on the Vault side so even without AWS's default value it should still be that. I'll see if I can find a reason why that's not the case. If possible, can you try using |
Hi @briantist, I tried with |
Hi @briantist, Sorry about my earlier comment. Earlier, I actually tried with a wrapper that we have written around curl -X POST --header "X-Vault-Token: <redacted>" 'https://<vault-endpoint>/v1/aws/sts/<role>'
{"errors":["Error assuming role: InvalidParameter: 1 validation error(s) found.\n- minimum field value of 900, AssumeRoleInput.DurationSeconds.\n"]}
|
Thanks for the update @sunchill06 I was really scratching my head on this one 😅 So does that mean that even Vault is requiring an explicit ttl? Is it possible for your role in particular, |
Sorry about that @briantist, I should have checked this thoroughly but I was just too much occupied. And yes, you rightly pointed out, we are using |
ok cool, at least that explains everything then, but no worries this wasn't the main thing holding up merging, we (maintainers) need to fix the CI failures before we can start merging other PRs, so I'm working on that with the others, but hopefully we'll get this fix in and released soon |
I get the following error when I try to get credentials from an sts endpoint. Below is the error.
Response
Request:
The text was updated successfully, but these errors were encountered: