-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS IAM auth 'Content-Length' header causes validation error when sent as number instead of string or []strings #3763
Comments
I removed the additional headers and now vault returns this error:
This is the request object that
|
Tested without the |
Hey @DaniGuardiola -- I think there are two issues here. On the first issue you mentioned, the AWS NodeJS SDK is returning a content-length header as an int, when HTTP headers should either a string or array of strings. This is the same issue mentioned in #2810 (comment) but it's a different error message now due to changes to support a string or array of strings (as opposed to just the latter). On the second, try setting the region to |
Hi @joelthompson! Thank you very much for your response! I tried changing the region to This is the new request (
|
@DaniGuardiola Any chance you're able to build and test from our repo? |
Please try the https://github.com/hashicorp/vault/tree/aws-jsonnumber branch and let me know if it fixes the json.Number error with your original data set. |
@jefferai Done This is the signed request options (ignore non-request stuff, it's
And this is the request passed to the
(The data is not really sensitive so I'm not gonna censor it anymore for now) Now I get this error: |
And when I remove the extra headers I still get the |
Full example without the
|
The
|
The credentials were not set because of a small bug I just fixed, now it's not |
Was just going to comment on that (wasn't sure if The error you get should only happen when STS returns a 200 response but the XML is in a format that's not recognized by Vault, which shouldn't ever happen (though the error gets eaten). Are you doing anything non-standard on the Vault server, such as going through an HTTP web proxy or setting an alternate Also, since you're able to test dev builds, I'll try to push a branch to my fork later tonight that should add more verbose logging messages. |
@joelthompson here :)
|
I don't think so :/ Would it help if I insert some logs somewhere, rebuild and re-run the dev server? Can I extend that error message in the code to add more information? Don't wanna pressure you but I gotta get this done soon so if there's any way I can speed up the process just tell me :) |
Wait, I'm using nginx to publish the vault dev server, I proxy |
:(
|
I'm starting to think the issue is your setting First, can you take your original code without If that doesn't work, try changing this line: vault/builtin/credential/aws/path_login.go Line 1510 in 2a32435
To something like: return nil, fmt.Errorf("error parsing STS response; original response: %q; error: %q", string(responseBody), err) and then rebuild and rerun the test; I think that should give more information. |
@joelthompson I can modify the aws4 version locally to do so, gimme a sec |
@joelthompson bingo!!
(data modified for privacy) |
The Thank you both for your fast response! If you need me for further testing you can hmu :) |
@DaniGuardiola I've updated (via force-push) the |
Checked ( |
It'll be in 0.9.2, yep! |
Environment:
Vault Config File:
(dev server)
Expected Behavior:
Vault returns the IAM auth login response, as described in the docs
Actual Behavior:
Vault returned this error:
Error parsing iam_request_headers: header "Content-Length" value "43" has type json.Number, not string or []interface
Steps to Reproduce:
Create request and sign it with aws4 npm module:
Original signed request (aws4)
Formatted for vault
Important Factoids:
aws
backend initializedrequest-promise-native
npm module for requestsaws4
module for aws request signing. This module adds the Content-Length header before signing the request, but it does so correctly (as a number).node-vault
module (I'm adding some functionalities), here's the failing codePlease help!
This is blocking and urgent for my company :/ thanks in advance!
The text was updated successfully, but these errors were encountered: