【问题标题】:error making upstream request 403 sts vault from aws instance从 aws 实例发出上游请求 403 sts vault 时出错
【发布时间】:2021-02-16 13:27:09
【问题描述】:

我已将一个 IAM 角色附加到 aws 实例。角色my-role 具有管理权限和sts 权限。

我运行了以下命令,但出现错误。

export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role
Error authenticating: Error making API request.

URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidClientTokenId</Code>
    <Message>The security token included in the request is invalid</Message>
  </Error>
  <RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>

当我通过传递区域运行 Vault 命令时,我得到的错误为

vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Error authenticating: Error making API request.

URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
  </Error>
  <RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>

我也限制了保险库中的角色。

vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role

注意:- 我添加了 -tls-skip-verify 选项,因为证书无效。

【问题讨论】:

    标签: amazon-web-services amazon-ec2 amazon-iam vault


    【解决方案1】:

    我们应该设置 sts 端点

    vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-west-1.amazonaws.com
    

    然后运行你的登录命令

    vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
    
    
    Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
    

    这里是a Google group link with discussion

    另一个link for sts.

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2021-12-17
      • 1970-01-01
      • 2021-06-07
      • 1970-01-01
      • 2023-03-10
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多