Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS vault spring boot error making upstream request: received error code 403 from STS #885

Open
sebastianreloaded opened this issue Sep 23, 2024 · 0 comments
Open

AWS vault spring boot error making upstream request: received error code 403 from STS #885

sebastianreloaded opened this issue Sep 23, 2024 · 0 comments

Comments

@sebastianreloaded
Copy link

Hello,
i use vault v1.17.5 and org.springframework.vault:spring-vault-core:3.1.2

When using kv_v1 secrets i get an error after 6 hours and i don’t know why.
Until the 6 hour mark the kv-secrets are refreshed regularly and auth/token/renew-self
and auth/aws-iam/login are called successfully every 1 hour.

But after 6 hours i get “error making upstream request: received error code 403 from STS: The security token included in the request is expired”:

{
    "auth": {
        "policy_results": {
            "allowed": true
        },
        "token_type": "default"
    },
    "request": {
        "data": {
            "iam_http_request_method": "POST",
            "iam_request_body": "QWNwNi0xNQ==",
            "iam_request_headers": "eyJBdJdfQ==",
            "iam_request_url": "aHR0vbS8=",
            "role": "studiomiddleware-api-dev"
        },
        "id": "1bf4dec9-203d-64b7-faa7-72abdcd5316f",
        "mount_accessor": "auth_aws_ec607cf2",
        "mount_class": "auth",
        "mount_point": "auth/aws-iam/",
        "mount_running_version": "v1.17.5+builtin.vault",
        "mount_type": "aws",
        "namespace": {
            "id": "root"
        },
        "operation": "update",
        "path": "auth/aws-iam/login",
        "remote_address": "10.61.72.126",
        "remote_port": 57848
    },
    "response": {
        "data": {
            "error": "error making upstream request: received error code 403 from STS: <ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <Error>\n    <Type>Sender</Type>\n    <Code>ExpiredToken</Code>\n    <Message>The security token included in the request is expired</Message>\n  </Error>\n  <RequestId>52673536-1adc-4942-b253-7e09ed4d24aa</RequestId>\n</ErrorResponse>\n"
        },
        "mount_accessor": "auth_aws_ec607cf2",
        "mount_class": "auth",
        "mount_point": "auth/aws-iam/",
        "mount_running_plugin_version": "v1.17.5+builtin.vault",
        "mount_type": "aws"
    },
    "time": "2024-09-20T17:47:55.325205678Z",
    "type": "response"
}

This doesnt correspond to the ttl of the “aws-iam” auth backend which is set to 3 hours and also not to the roles STS 1 hour maximum ttl.

I don’t understand where this 6 hour expiration comes from.
Anybody have an idea?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sebastianreloaded