我已将一个 IAM 角色附加到 aws 实例。该角色my-role
还具有管理权限和 sts 权限。
我运行了以下命令,但出现错误。
export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidClientTokenId</Code>
<Message>The security token included in the request is invalid</Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
当我通过传递区域运行 Vault 命令时,我得到的错误是
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
我也限制了保险库中的角色。
vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role
注意:- 我添加了 -tls-skip-verify 选项,因为证书不是有效的。