![](/img/trans.png)
[英]Try to download export from google vault, get 403 error using service account
[英]error making upstream request 403 sts vault from aws instance
我已將一個 IAM 角色附加到 aws 實例。 角色my-role
也有管理權限和 sts 權限。
我運行了以下命令,但出現錯誤。
export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidClientTokenId</Code>
<Message>The security token included in the request is invalid</Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
當我通過傳遞區域來運行 vault 命令時,我得到的錯誤是
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
我也限制了保險庫中的角色。
vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role
注意:- 我添加了 -tls-skip-verify 選項,因為證書無效。
我們應該設置 sts 端點
vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-west-1.amazonaws.com
然后運行你的登錄命令
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.