Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to create/update AWS authentication role after 1.17.0 - unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found #27765

Closed
agcorreatech opened this issue Jul 11, 2024 · 8 comments
Labels
auth/aws bug Used to indicate a potential bug regression Used to indicate possible regressions between versions

Comments

@agcorreatech
Copy link

Describe the bug
Unable to create/update AWS authentication role after 1.17.0
Error: unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found

To Reproduce
Steps to reproduce the behavior:

  1. Try to create/update AWS Auth Role after update to version 1.17.0:
$ vault write auth/aws/role/app-dev-role bound_iam_principal_arn="arn:aws:iam::123456789123:role/role-lambda"

Error writing data to auth/aws/role/app-dev-role: Error making API request.
URL: PUT https://vault.dev/v1/auth/aws/role/app-dev-role
Code: 400. Errors:

* unable to resolve ARN "arn:aws:iam::123456789123:role/role-lambda" to internal ID: InvalidParameter: 1 validation error(s) found. - minimum field size of 2, AssumeRoleInput.ExternalId.
  1. Read the STS Configuration:
$ vault read auth/aws/config/sts/123456789123
Key         Value
---         -----
sts_role    arn:aws:iam::123456789123:role/vault-dev
  1. As an alternative solution, the external_id parameter was defined in the STS configuration (this parameter should be optional, but in this case seems it's not):
vault write auth/aws/config/sts/123456789123 sts_role=arn:aws:iam::123456789123:role/vault-dev external_id="123"
Success! Data written to: auth/aws/config/sts/123456789123
$ vault read auth/aws/config/sts/123456789123
Key            Value
---            -----
external_id    123
sts_role       arn:aws:iam::123456789123:role/vault-dev
  1. After defining this parameter, it was possible to configure the AWS authentication role:
vault write auth/aws/role/app-dev-role bound_iam_principal_arn="arn:aws:iam::123456789123:role/role-lambda"
Success! Data written to: auth/aws/role/app-dev-role
  1. After updating the authentication role, the external_id parameter was removed from the STS configuration:
vault write auth/aws/config/sts/123456789123 sts_role=arn:aws:iam::123456789123:role/vault-dev external_id=""
Success! Data written to: auth/aws/config/sts/123456789123
vault read auth/aws/config/sts/123456789123
Key         Value
---         -----
sts_role    arn:aws:iam::123456789123:role/vault-dev
  1. After removing the parameter external_id, it was possible to configure the AWS authentication role again (meaning that it correctly assumed the destination role):
vault write auth/aws/role/app-dev-role bound_iam_principal_arn="arn:aws:iam::123456789123:role/role-lambda"
Success! Data written to: auth/aws/role/app-dev-role

Expected behavior
After upgrading to version 1.17.0, the STS configuration requires the external_id parameter to be defined (even though it is defined in the documentation as an optional parameter). It is not possible to make changes to AWS authentication roles for accounts that already have the STS configuration defined.

Environment:

  • Vault Server Version (retrieve with vault status): 1.17.0
  • Vault CLI Version (retrieve with vault version): 1.17.0
  • Server Operating System/Architecture: Amazon Linux 2
@agcorreatech agcorreatech changed the title Unable to create/update AWS authentication function after 1.17.0 - unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found Unable to create/update AWS authentication role after 1.17.0 - unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found Jul 11, 2024
@agcorreatech
Copy link
Author

Possible offending update in version 1.17.0 is this:
auth/aws: add support for external_ids in AWS assume-role [GH-26628]

@heatherezell heatherezell added auth/aws bug Used to indicate a potential bug regression Used to indicate possible regressions between versions labels Jul 15, 2024
@jskilton
Copy link

This broke for us too. 1.17 can no longer use the standard STS and assume role to use AWS AUTH engine.
I had to put this into my TERRAFORM to create the AWS AUTH endpoints and STS roles, as the current HASHI TF provider does not even have "external_id" as a valid field for the STS backend config. (you can do it with the CLI, but not with the TF provider.)

I used the GENERIC to add the external_id to the STS config to get it working again.

`resource "vault_generic_endpoint" "aws" {
count = local.aws.enabled == "true" ? length(local.aws.accounts) : 0
depends_on = [vault_aws_auth_backend_sts_role.role]
path = "auth/aws/config/sts/${local.aws.accounts[count.index]}"
ignore_absent_fields = true

data_json = <<EOT
{
"external_id": "123"
}
EOT
}`

@Sayrus
Copy link

Sayrus commented Jul 22, 2024

Hitting this issue as well, and with the same issue as @jskilton on the Terraform Provider. Overwriting the auth role to add external_id manually even if not required by the target STS fixes the issue.

The associated STS role must be configured to require the external ID.

So either the must here is a should, or there is another bug hidden that make it works.

I followed the code in the linked MR a bit, and shouldn't the default value passed to AWS here be nil if the value is unset instead of empty string? (https://github.com/aws/aws-sdk-go/blob/main/aws/credentials/stscreds/assume_role_provider.go#L162)

@PJ1288
Copy link

PJ1288 commented Jul 22, 2024

We are hitting the same issue with 1.17+ versions.
IAM client: InvalidParameter: 1 validation error(s) found. - minimum field size of 2, AssumeRoleInput.ExternalId.

@micolun
Copy link

micolun commented Jul 25, 2024

Same here with Vault 1.17.1 after upgrading it from 1.16.2
I am using Vault terraform provider and logging in with AWS assumed role

│ Error: Error making API request.
│ 
│ URL: PUT https://vault-test.example.com/v1/auth/aws/master/login
│ Code: 400. Errors:
│ 
│ * error looking up full ARN of entity &{aws 1234567890123 assumed-role  AWSReservedSSO_AdministratorAccess_3497746d3cd20e29 micolun} when attempting login for role "1234567890123": error creating IAM client: InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 2, AssumeRoleInput.ExternalId.

This is not the first Vault issue related to AWS auth method I encountered.
AWS assumed roles are poorly supported in Vault.

@KalenWessel
Copy link

Currently on Vault 1.17.2 and also hitting the same issue with AWS auth:

minimum field size of 2, AssumeRoleInput.ExternalId.

Once I manually added the external_id authentication worked.

vault write auth/aws/config/sts/123456789 sts_role=arn:aws:iam::123456789:role/vault-cross-account external_id="123"

Thanks #27765 (comment) for the suggestion. Would have been nice if the vault_aws_auth_backend_sts_role resource supported external_id

@ttruong-actian
Copy link

same issues for me

* unable to resolve ARN "arn:aws:iam::<accountId>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_aws-account-user_530707c917121354" to internal ID: InvalidParameter: 1 validation error(s) found.
- minimum field size of 2, AssumeRoleInput.ExternalId.

@biazmoreira
Copy link
Contributor

Hi,

The fix for this has been merged and will be included in the next release. #27858

Thank you for flagging this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auth/aws bug Used to indicate a potential bug regression Used to indicate possible regressions between versions
Projects
None yet
Development

No branches or pull requests

9 participants