0

我已将一个 IAM 角色附加到 aws 实例。该角色my-role还具有管理权限和 sts 权限。

我运行了以下命令,但出现错误。

export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role

Error authenticating: Error making API request.

URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidClientTokenId</Code>
    <Message>The security token included in the request is invalid</Message>
  </Error>
  <RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>

当我通过传递区域运行 Vault 命令时,我得到的错误是

vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1

Error authenticating: Error making API request.

URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
  </Error>
  <RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>

我也限制了保险库中的角色。

vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role

注意:- 我添加了 -tls-skip-verify 选项,因为证书不是有效的。

4

1 回答 1

0

我们应该设置 sts 端点

vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-west-1.amazonaws.com

然后运行你的登录命令

vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1


Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.

这是一个带有讨论的 Google 群组链接

sts 的另一个链接。

于 2021-02-15T16:20:08.567 回答