CODEWITHSUNDEEP
amazon-web-servicesterraformhashicorp-vaultaws-ststerraform-provider-vault
Amila Fonseka
Amila Fonseka

Reputation: 402

Terraform Vault AWS provider Error: SignatureDoesNotMatch When Using AWS Login Method

I'm encountering an issue while using Terraform to provision an FSx server. I'm trying to retrieve a password from HashiCorp Vault using the Vault provider with AWS authentication. However, when I run my Terraform scripts, I get the following error.

URL: PUT https://hcvurl:8200/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region. </Message>
  </Error>
  <RequestId>24b37364-0771-4f9d-9b95-12345678</RequestId>
</ErrorResponse>

Terraform Configuration

Here is the relevant part of my Terraform configuration:

provider "aws" {
  alias   = "aws_alias"
  region  = var.aws_region
  version = ">= 3.8.0"
  assume_role {
    role_arn = var.role_arn
  }
}

provider "vault" {
  address = "https://hcvUrl:8200"

  auth_login {
    path = "auth/aws/login"
    method = "aws"
    parameters = {
      role = "my-dev-role"
    }
  }
}

And the part where I retrieve the secret:

data "vault_generic_secret" "fsx_service_account" {
  provider = vault
  path = "path/to/the/secret"
}

self_managed_active_directory {
    username                               = var.fsx_service_account_username
    password                               = data.vault_generic_secret.fsx_service_account.data["password"]
    dns_ips                                = var.activedirectory_dc_ips
    domain_name                            = var.fsx_domain
    organizational_unit_distinguished_name = var.organizational_unit_distinguished_name
}

What I've Tried

Checked AWS Region: Verified that the region specified in the AWS provider configuration matches the region where the Vault instance is running.

Verified IAM Role: Ensured that the my-dev-role has the necessary permissions.

Note : The Vault role is configured to allow AWS authentication using the STS token.

Question:

What could be causing the SignatureDoesNotMatch error when Terraform attempts to authenticate to Vault using AWS credentials? Are there any additional configurations or steps I should consider to resolve this issue?

Upvotes: 0

Views: 83

Answers (1)

Martin Zeitler
Martin Zeitler

Reputation: 76699

See the documentation ...

[default]
sts_regional_endpoints = regional

Upvotes: 0

Related Questions