hvac: IAM auth_ec2 doesn't work, and seems like it can't possibly work

According to the Vault documentation for the iam/ec2 auth endpoints, it works like this:

curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", "iam_http_request_method": "POST", "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=", "iam_request_body": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==", "iam_request_headers": "eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==" }'

https://www.vaultproject.io/docs/auth/aws.html

After un-base64-ing that, and formatting it to make it somewhat readable, it looks like:

   curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", \
              "iam_http_request_method": "POST", \
               "iam_request_url": "https://sts.amazonaws.com/", \
                "iam_request_body": "Action=GetCallerIdentity&Version=2011-06-15", \
                "iam_request_headers": "{"Content-Length": ["43"], \
               "User-Agent": ["aws-sdk-go/1.4.12 (go1.7.1; linux; amd64)"], \
               "X-Vault-AWSIAM-Server-Id": ["vault.example.com"], \
              "X-Amz-Date": ["20160930T043121Z"], \
              "Content-Type": ["application/x-www-form-urlencoded; charset=utf-8"], \
               "Authorization": ["AWS4-HMAC-SHA256 Credential=foo/20160930/us-east-1/sts/aws4_request,                       SignedHeaders=content-length;content-type;host;x-amz-date;x-vault-server, \
Signature=a69fd750a3445c4e553e1b3e79d3da90eef54047f1eb4efe8ffbc9c428c2655b"]}" }'

But I’m looking through the hvac code, and auth_ec2 does none of those things.

In experimenting with it, I’m getting explosions like:

>> client.auth_ec2(requests.get("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7").text)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 562, in auth_ec2
    return self.auth('/v1/auth/aws-ec2/login', json=params, use_token=use_token)
  File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 787, in auth
    response = self._post(url, **kwargs).json()
  File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 947, in _post
    return self.__request('post', url, **kwargs)
  File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 986, in __request
    self.__raise_error(response.status_code, text, errors=errors)
  File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 992, in __raise_error
    raise exceptions.InvalidRequest(message, errors=errors)
hvac.exceptions.InvalidRequest: missing client token

Missing client token is not what it should be responding. But then, hvac doesn’t appear to actually be even trying to authenticate properly, so the server appears to be trying to authenticate it with the default (token) auth.

Does this auth_ec2 even work? Or am I missing something very obvious and fundamental?

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 21 (7 by maintainers)

Commits related to this issue

Add regression test for hvac issue #130 — committed to jeffwecan/hvac by deleted user 6 years ago
Add regression test for hvac issue #130 — committed to jeffwecan/hvac by deleted user 6 years ago
Add regression test for hvac issue #130 — committed to hvac/hvac by deleted user 6 years ago

Most upvoted comments

@rberlind I use this then we just call client with the token and use some wrapped methods

In our containers:

get_vault_token() {
  python3 -c "from stratatilities.auth import return_token;print(return_token())"
}

export VAULT_TOKEN=${VAULT_TOKEN:-$(get_vault_token)}

and in lambda:

from stratatilities.auth import get_vault_client, read_vault_secret
def lambda_handler(event, context):
    vault_client= get_vault_client()
    some_token = read_vault_secret(vault_client, 'secret/ops/some_token')

myoung34 on Mar 26, 2018

Orthogonal issues.

The way I read #108 is that it relates to creating and managing EC2/IAM roles from the library, as a superuser, for example…

This ticket is about what appears to be the complete lack of library support for its use as an unprivileged client, to log in using IAM.

kenrestivo-stem on Sep 13, 2017