stackoom
  简体   繁体   中英

error making upstream request 403 sts vault from aws instance

 原文  2021-01-29 16:07:47       amazon-web-services/ amazon-ec2/ amazon-iam/ vault

Question

I have attached one IAM role to the aws instance. The role my-role has administrative permissions and sts permissions as well.

I ran the following commands but I get error.

export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role

Error authenticating: Error making API request.

URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidClientTokenId</Code>
    <Message>The security token included in the request is invalid</Message>
  </Error>
  <RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>

And when I run the vault command by passing the region I get the error as

vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1

Error authenticating: Error making API request.

URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
  </Error>
  <RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>

I have bounded the role in vault also.

vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role

Note:- I added -tls-skip-verify option because the certificate is not a valid one.

1 answers

solution1
 1  2021-02-15 16:20:08

We should set the sts endpoint

vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-west-1.amazonaws.com

Then run your login command

vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1


Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.

Here's a Google group link with discussion

Another link for sts.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Try to download export from google vault, get 403 error using service account 403 Access Error returned from Browser possibly caused by AWS Cors error when making put request to AWS bucket AWS API gateway error while making OPTIONS request AWS Assume Role STS AWS STS: GetFederationToken works locally, but fails from Lambda AWS Terraform: │ Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: AWS Lambda Create Function - Request failed with status code 403 AWS API gateway 403 error for Custom Authorizer Cloud Run Error 504 (Upstream Request Timeout) after successful deploy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM