-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AwsIamAuthentication fails with Credential should be scoped to a valid region when migrating from spring-vault-core 2.3.3 to 3.1.1 #871
Comments
We're signing requests with the v4 signer via Lines 225 to 230 in ff43ffa
Let us know if there's a mismatch somewhere. We can solve this issue only with the help of you or any AWS user, I'm not terribly familiar with the most recent AWS changes. |
If i am providing region as US_EAST_1 its working but providing any other region is throwing the same exception. Below is working: FYI: I am in us-west-2. |
If you have arrangements that work, then this seems to be rather an infrastructure issue. In any case, we're not AWS users so we need support from someone that could help sort out the actual issue. |
A similar issue i can see raised in the past hvac/hvac#251. In our case even setting the endPointURI to https://sts.us-west-2.amazonaws.com is not working throwing same exception. |
thanks for the pointer. What about sts_endpoint and sts_region in the vault config? Do these correlate to your app config? |
I have upgrade from spring-vault-core 2.3.3 to 3.1.1 and using AwsIamAuthentication
public ClientAuthentication createClientAuthentication() {
AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.create();
AwsIamAuthenticationOptions options = AwsIamAuthenticationOptions.builder()
.credentialsProvider(credentialsProvider)
.region(Region.US_WEST_2). I have tried adding this filed in 3.1.1 as vault and instances are in us-west-2
.role(InfrastructureInfo.getInstance().getVaultRole())
.build();
return new AwsIamAuthentication(options, VaultUtils.getRestOptions());
}
Exception-
org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: error making upstream request: received error code 403 from STS: ](https://sts.amazonaws.com/doc/2011-06-15/%22%3E)
Sender
SignatureDoesNotMatch
Credential should be scoped to a valid region.
b38c3d6a-ae0a-4f08-b768-94ad7b53b82e
Java-17
SpringBoot-3.2.0
Spring Framework- 6.1.+
From CLI I am able to read data.
Vault v1.9.4
The text was updated successfully, but these errors were encountered: