spring-vault icon indicating copy to clipboard operation
spring-vault copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

AwsIamAuthentication fails with Credential should be scoped to a valid region when migrating from spring-vault-core 2.3.3 to 3.1.1

Open infa-kvaibhav opened this issue 1 year ago • 5 comments

I have upgrade from spring-vault-core 2.3.3 to 3.1.1 and using AwsIamAuthentication

public ClientAuthentication createClientAuthentication() { AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.create(); AwsIamAuthenticationOptions options = AwsIamAuthenticationOptions.builder() .credentialsProvider(credentialsProvider) .region(Region.US_WEST_2). I have tried adding this filed in 3.1.1 as vault and instances are in us-west-2 .role(InfrastructureInfo.getInstance().getVaultRole()) .build(); return new AwsIamAuthentication(options, VaultUtils.getRestOptions()); } Exception- org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>SignatureDoesNotMatch</Code> <Message>Credential should be scoped to a valid region. </Message> </Error> <RequestId>b38c3d6a-ae0a-4f08-b768-94ad7b53b82e</RequestId> </ErrorResponse>

Java-17 SpringBoot-3.2.0 Spring Framework- 6.1.+

From CLI I am able to read data. Vault v1.9.4

infa-kvaibhav avatar Jul 30 '24 15:07 infa-kvaibhav

We're signing requests with the v4 signer via https://github.com/spring-projects/spring-vault/blob/ff43ffa1d0d70c1932fc2f8926c5a2a999f8e368/spring-vault-core/src/main/java/org/springframework/vault/authentication/AwsIamAuthentication.java#L225-L230

Let us know if there's a mismatch somewhere. We can solve this issue only with the help of you or any AWS user, I'm not terribly familiar with the most recent AWS changes.

mp911de avatar Aug 07 '24 07:08 mp911de

If i am providing region as US_EAST_1 its working but providing any other region is throwing the same exception.

Below is working: AwsIamAuthenticationOptions options = AwsIamAuthenticationOptions.builder() .credentialsProvider(InstanceProfileCredentialsProvider.create()) .region(Region.US_EAST_1) .role(InfrastructureInfo.getInstance().getVaultRole()) .build();

FYI: I am in us-west-2.

infa-kvaibhav avatar Aug 07 '24 07:08 infa-kvaibhav

If you have arrangements that work, then this seems to be rather an infrastructure issue. In any case, we're not AWS users so we need support from someone that could help sort out the actual issue.

mp911de avatar Aug 07 '24 07:08 mp911de

A similar issue i can see raised in the past https://github.com/hvac/hvac/issues/251.

In our case even setting the endPointURI to https://sts.us-west-2.amazonaws.com is not working throwing same exception.

infa-kvaibhav avatar Aug 07 '24 07:08 infa-kvaibhav

thanks for the pointer. What about sts_endpoint and sts_region in the vault config? Do these correlate to your app config?

mp911de avatar Aug 07 '24 08:08 mp911de