-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect to S3 storage backend using IAM role #2853
Comments
Same here, using Vault v0.7.3 on EC2 instance. Vault config
IAM Role Config
Installed the aws-cli on the machine and |
Does 0.7.2 work okay? Could be a regression in the official aws library if so. |
@jefferai I did a test with binary versions 0.7.0, 0.7.1, 0.7.2 and 0.7.3 same result |
I removed the IAM role from the machine and set my personal access_key and secret_key that has AdministratorAccess policy and still getting Edit: |
This was not an problem with the code, at least for me. But after this I have two suggestions.
@jefferai what do you think ? |
Hi Andri, I would have thought the IAM credentials would specify the region that should be used but I guess not. I'm in favor of option 2, not option 1, but: does Vault create the buckets in the first place? If not, would they then get an error merely because they're trying to run for the first time? |
No the vault is not creating the bucket and I think that is the right way to go about this. I think it is really strange the errors from the 's3conn.HeadBucket()' command. Option 2 would cover this strange error messages from aws, but little changes are needed because the IAM should not need to have the access to list all buckets. |
It ended to be really simple, use 'ListObjects' when validating bucket not 'HeadBucket' it is probably bigger request but the error messages are much better. |
Cool. Can you PR? |
Done: #2892 |
Travis is failing because of |
Yeah, the cassandra tests are really hit and miss for some reason, having to do with how Docker is feeling on Travis at any given time. No worries about that :-) |
Closed via #2892 |
Whats was the answer for IAM role ? Is there any resolution ? I am not using docker but stable version of vault 0.7.2 |
No worries seems like its looking for region :) all good now. |
I'm running vault
0.7.3
using the official docker container. The ec2 instance the container is running on has an IAM role allowing access to an S3 bucket. When starting vault I get a400 Bad Request
error and vault fails to start.Vault config
IAM Role Config
The text was updated successfully, but these errors were encountered: