Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to change region when using IAM authentication

See original GitHub issue

Describe the bug Please provide details of the problem, including the version of Spring Cloud that you are using.

version: spring cloud vault 1.1.1

Sample If possible, please provide a test case or sample application that reproduces the problem. This makes it much easier for us to diagnose the problem and to verify that we have fixed it.

I try to using the AWS-IAM authentication with vault server then in bootstrap i defined :

spirng.cloud.vault:
      uri: ${VAULT_URI} #vault address
      config:
        order: -10
      authentication: AWS_IAM
      aws-iam:
        role: dev-role-iam
        aws-path: aws
      generic:
        enabled: true
        backend: secret
        profile-separator: /
        default-context: demo

I get an exception when starting the application

org.springframework.vault.VaultException: Cannot login using AWS-IAM: error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region, not 'us-east-1'. </Message>
  </Error>
  <RequestId>a701528a-a2bb-4814-92f7-951b15bbef29</RequestId>
</ErrorResponse>

	at org.springframework.vault.authentication.AwsIamAuthentication.createTokenUsingAwsIam(AwsIamAuthentication.java:149)
.......

in my case , the EC2 are in ‘cn-northwest-1’ region. How to change the region if use IAM authentication?

Issue Analytics

State:
Created 3 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

mp911decommented, Oct 28, 2020

Looking at the Amazon docs, it should be possible to set the Endpoint URI to https://sts.eu-west-1.amazonaws.com to include the region identifier (e.g. spring.cloud.vault.aws-iam.endpoint-uri: https://sts.cn-northwest-1.amazonaws.com)

0reactions

luckypolariscommented, Oct 30, 2020

You should be able to register a custom ClientAuthentication bean in the bootstrap context. Spring Cloud Vault 1.x is end of life and not maintained anymore.

@mp911de I was try to register a custom ClientAuthentication to support specify Endpoint_uri , It’s working fine . I think this issue can be closed,Thanks again bro.

Top Results From Across the Web

Enabling and disabling IAM database authentication

Enabling and disabling IAM database authentication · In the navigation pane, choose Databases. · Choose the DB instance that you want to modify....

Enabling and disabling IAM database authentication

Make sure that the DB instance is compatible with IAM authentication. Check the compatibility requirements in Region and version availability. Choose Modify. In ......

AWS IAM Authentication without region set in config ... - GitHub

Setup a vault docker container that should use a config file without region identified. See below for the config file; Try to boot...

AWS - Auth Methods | Vault - HashiCorp Developer

With the iam auth method, normally Vault will see the IAM principal that authenticated, either the IAM user or role. However, when you...

Managing User Credentials - Oracle Help Center

Auth tokens are Oracle-generated token strings that you can use to ... To create, change, and delete IAM database user names, see Working...