Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS auth login with multi region STS support #21960

Merged
merged 7 commits into from
Jul 28, 2023
Merged

AWS auth login with multi region STS support #21960

merged 7 commits into from
Jul 28, 2023

Conversation

raymonstah
Copy link
Contributor

@raymonstah raymonstah commented Jul 19, 2023
edited
Loading

Summary

Adds support to the AWS auth plugin so that when the use_sts_region_from_client configuration is set, the global STS endpoint (https://sts.amazonaws.com) will be overridden to instead use the regional STS endpoints based on the region provided in the Authorization header.

This change allows for DR situations and AWS regional outages by supporting flexibility in where the login region is calling from.

Without this change, clients would run into an error message when logging in if there were a region mismatch between client and server:

Error authenticating: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region. </Message>
  </Error>
  <RequestId>b749af7f-ed19-4cea-9885-f60d2422880e</RequestId>
</ErrorResponse>

Testing

For the server side, I've configured the AWS auth plugin with the use_sts_region_from_client config set to true.

vault auth enable aws
Success! Enabled aws auth method at: aws/

vault write auth/aws/config/client \
    secret_key="${AWS_SECRET_ACCESS_KEY}" \
    access_key="${AWS_ACCESS_KEY_ID}" \
use_sts_region_from_client=true
Success! Data written to: auth/aws/config/client

vault write auth/aws/role/dev-role-iam \
    auth_type="iam" \
    bound_iam_principal_arn="arn:aws:iam::XXXXXXXXXXX:user/FOOBAR" \
    policies="default"
Success! Data written to: auth/aws/role/dev-role-iam

For the client side, I've tested the login command using a bunch of different regions, auto region, and no region specified . Responses omitted for brevity.

vault login -method=aws  region=us-east-1 role=dev-role-iam
Success! You are now authenticated. The token information displayed below...

vault login -method=aws  region=us-east-2 role=dev-role-iam
Success! You are now authenticated. The token information displayed below...

vault login -method=aws  region=us-west-1 role=dev-role-iam
Success! You are now authenticated. The token information displayed below...

vault login -method=aws  region=us-west-2 role=dev-role-iam
Success! You are now authenticated. The token information displayed below...

vault login -method=aws  region=auto role=dev-role-iam
Success! You are now authenticated. The token information displayed below...

vault login -method=aws role=dev-role-iam
Success! You are now authenticated. The token information displayed below...

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 19, 2023
@raymonstah raymonstah added this to the 1.15 milestone Jul 19, 2023
@github-actions
Copy link

github-actions bot commented Jul 19, 2023
edited
Loading

CI Results:
All Go tests succeeded! ✅

@raymonstah raymonstah requested a review from a team July 19, 2023 21:14
austingebauer
austingebauer reviewed Jul 20, 2023
View reviewed changes
changelog/21960.txt Outdated Show resolved Hide resolved
austingebauer
austingebauer reviewed Jul 20, 2023
View reviewed changes
builtin/credential/aws/path_login_test.go
@@ -625,6 +627,58 @@ func TestBackend_defaultAliasMetadata(t *testing.T) {
}
}

func TestRegionFromHeader(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

austingebauer
austingebauer reviewed Jul 20, 2023
View reviewed changes
builtin/credential/aws/path_login.go
Comment on lines +1909 to +1916
// https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
// The Authorization header takes the following form.
// Authorization: AWS4-HMAC-SHA256
// Credential=AKIAIOSFODNN7EXAMPLE/20230719/us-east-1/sts/aws4_request,
// SignedHeaders=content-length;content-type;host;x-amz-date,
// Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
//
// The credential is in the form of "<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this comment is helpful!

@raymonstah raymonstah marked this pull request as ready for review July 24, 2023 20:07
@raymonstah raymonstah requested a review from a team as a code owner July 24, 2023 20:07
@raymonstah raymonstah requested a review from a team July 24, 2023 20:07
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

maxcoulombe
maxcoulombe reviewed Jul 25, 2023
View reviewed changes
changelog/21960.txt Outdated
@@ -0,0 +1,3 @@
```release-note:improvement
aws/auth: Adds a new config field `sts_region_from_client` which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication..
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
aws/auth: Adds a new config field `sts_region_from_client` which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication..
aws/auth: Adds a new config field `sts_region_from_client` which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication.

Double dots?

maxcoulombe
maxcoulombe approved these changes Jul 28, 2023
View reviewed changes
Copy link
Contributor

@maxcoulombe maxcoulombe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the parameter rename. This is a really elegant solution, nice work.

@raymonstah raymonstah merged commit 4f7a8fb into main Jul 28, 2023
@raymonstah raymonstah deleted the VAULT-18128/aws-auth-login-multi-region-sts-support branch July 28, 2023 15:42
@raymonstah raymonstah mentioned this pull request Jul 28, 2023
Merged
@austingebauer austingebauer mentioned this pull request Sep 28, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@austingebauer austingebauer austingebauer left review comments

@maxcoulombe maxcoulombe maxcoulombe approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.15.0-rc1
Development

Successfully merging this pull request may close these issues.
3 participants
@raymonstah @austingebauer @maxcoulombe