Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DynamoDB backend cannot assume role in a different AWS account due to awsutil limitations #28507

Open
sergeylanzman opened this issue Sep 25, 2024 · 0 comments · May be fixed by #28508
Open

DynamoDB backend cannot assume role in a different AWS account due to awsutil limitations #28507

sergeylanzman opened this issue Sep 25, 2024 · 0 comments · May be fixed by #28508
Labels
auth/aws dependencies Pull requests that update a dependency file storage/dynamodb

Comments

@sergeylanzman
Copy link
Contributor

When using the DynamoDB physical backend for Vault in an EKS (Elastic Kubernetes Service) environment, we are unable to access a DynamoDB instance located in a different AWS account using IAM role assumption. The current implementation using awsutil does not support assuming roles via the shared config file (~/.aws/config), which prevents Vault from accessing DynamoDB across AWS accounts.

Details:

Environment:

  • Vault running in EKS
  • DynamoDB located in a different AWS account
  • Access to DynamoDB should be obtained via IAM role assumption

Problem:
The DynamoDB backend uses github.com/hashicorp/go-secure-stdlib/awsutil for credential management, which does not support loading profiles and assuming roles defined in the shared AWS config file (~/.aws/config). This limitation makes it impossible to configure Vault to assume a role in another AWS account to access DynamoDB.

Attempted Workaround:

We tried configuring the shared AWS config file inside the pod with the following content:

[profile default]
source_profile = local
role_arn = arn:aws:iam::AAAAAAAA:role/vault-role

[profile local]
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
role_arn = arn:aws:iam::BBBBBBBBB:role/vault-role

However, awsutil does not recognize or properly handle this configuration, and as a result, Vault cannot assume the role to access DynamoDB in the other AWS account.

Analysis:

The standard AWS SDK for Go supports loading credentials and configuration from the shared config file and can handle role assumption chains, including those using web identity tokens (such as those provided by EKS service accounts). The use of awsutil in the DynamoDB backend bypasses this functionality, limiting the ways in which credentials can be provided.

Expected Behavior:

Vault should be able to use the standard AWS SDK credential providers to assume roles defined in the shared config file, allowing it to access DynamoDB instances in other AWS accounts. This includes supporting complex credential chains and role assumptions that are commonly used in multi-account AWS environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/aws dependencies Pull requests that update a dependency file storage/dynamodb
Projects
None yet
Milestone
No milestone
2 participants
@sergeylanzman @heatherezell