Vault Error: context deadline exceeded on usage of IAM boundary with path_role attribute in IAM role

[T0tt1]

Describe the bug
Using server Vault v1.4.2. I am creating a role using type aws/iam.
If I create a IAM role which do have role_path property and instance_profile_path property defined in Terraform, once I create in vault the role and make the boundary to the afore mentioned IAM role, I am unable to login in and getting the error
Error: context deadline exceeded
It works with arn:aws:iam::XXXXXXXX:role/staging-github-action-runners-runner-role-toad
and getting the mentioned error while ARN looks like arn:aws:iam::XXXXXXXXXXX:role/hashicorp-manager/staging-github-action-runners-runner-role-toad

To Reproduce
Steps to reproduce the behavior:
0. Create via TF IAM role which produces following arn (set in TF role_path and instance_profile_path) ==> arn:aws:iam::XXXXXXXXXXX:role/hashicorp-manager/staging-github-action-runners-runner-role-toad

1. Run vault auth enable aws
2. Run vault write auth/aws/config/client sts_endpoint=https://sts.us-east-1.amazonaws.com sts_region=us-east-1
3. Run cat << EOF | vault policy write master-policy - # Root path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } EOF
4. Run vault write \ auth/aws/role/master-role \ auth_type=iam \ policies=master-policy \ resolve_aws_unique_ids=false \ max_ttl=1h \ token_ttl=1h \ bound_iam_principal_arn=${runner_instance_profile_role}
5. SSH on EC2 instance where IAM role is assigned
6. Run vault login -method=aws role=master-role
7. See error ==> Error authenticating: context deadline exceeded

Expected behavior
No matter of the fact whether I do have role_path and instance_profile_path used while creating IAM role, once I provide the arn during the creation of role in Vault I must be able to login.
Creating an IAM role with arn arn:aws:iam::XXXXXXXXXXX:role/hashicorp-manager/staging-github-action-runners-runner-role-toad and passing it via command:
vault write \ auth/aws/role/master-role \ auth_type=iam \ policies=master-policy \ resolve_aws_unique_ids=false \ max_ttl=1h \ token_ttl=1h \ bound_iam_principal_arn=${runner_instance_profile_role}

Should allow me to login just like this:

h-4.2$ vault login -method=aws role=master-role
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key Value

---

token obfuscated
token_accessor obfuscated
token_duration 1h
token_renewable true
token_policies ["default" "master-policy"]
identity_policies []
policies ["default" "master-policy"]
token_meta_account_id obfuscated
token_meta_auth_type iam
token_meta_role_id obfuscated
sh-4.2$

Environment:

• Vault Server Version (retrieve with vault status):
  sh-4.2$ vault status
  Key Value

---

Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares obfuscated
Threshold obfuscated
Version 1.4.2
Cluster Name vault-cluster
Cluster ID obfuscated
HA Enabled true
HA Cluster https://obfuscated:8201
HA Mode active

• Vault CLI Version (retrieve with vault version):
  sh-4.2$ vault version
  Vault v1.4.2
• Server Operating System/Architecture:
  sh-4.2$ cat /etc/os-release
  NAME="Amazon Linux"
  VERSION="2"
  ID="amzn"
  ID_LIKE="centos rhel fedora"
  VERSION_ID="2"
  PRETTY_NAME="Amazon Linux 2"
  ANSI_COLOR="0;33"
  CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
  HOME_URL="https://amazonlinux.com/"

Vault server configuration file(s):

ui = false

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_cert_file   = "obfuscated"
  tls_key_file    = "obfuscated"
}

service_registration "consul" {
  address = "127.0.0.1:8500"
}

          service_registration "consul" {
            address = "127.0.0.1:8500"
          }
          seal "awskms" {
            region     = "us-east-1"
            kms_key_id = "obfuscated"
          }

          storage "dynamodb" {
            ha_enabled = "true"
            region = "us-east-1"
            table  = "obfuscated"
          }
          # HA settings
          cluster_addr  = "https://obfuscated:8201"
          api_addr      = "https://obfuscated:8200"

telemetry {
  statsd_address = "localhost:8125"
  disable_hostname = true
}

Additional context
Add any other context about the problem here.

[heatherezell]

Hello! Can you please try to replicate this issue with a newer version of Vault? You can see the Vault releases available here: https://releases.hashicorp.com/vault/
As a general rule, we accept issues for versions "n-2", so we would accept issues of bug reports for version 1.7 or later. Thanks!

[T0tt1]

Hello! Can you please try to replicate this issue with a newer version of Vault? You can see the Vault releases available here: https://releases.hashicorp.com/vault/ As a general rule, we accept issues for versions "n-2", so we would accept issues of bug reports for version 1.7 or later. Thanks!

Thank you for the feedback, sir/madam!

Please find that the same issue has been observed after upgrading to version 1.9.0.

sh-4.2$ vault login -method=aws role=master-role
Error authenticating: context deadline exceeded
sh-4.2$ vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    obfuscated
Threshold                obfuscated
Version                  1.9.0
Storage Type             dynamodb
Cluster Name             vault-cluster
Cluster ID               obfuscated
HA Enabled               true
HA Cluster               https://obfuscated:8201
HA Mode                  active
Active Since             2021-12-16T11:03:58.195799046Z

[heatherezell]

Thanks! I'll have someone take a look.

[heatherezell]

Also, looking at some resources for this issue, there might be a problem with network connectivity. Can you run curl $VAULT_ADDR/v1/sys/seal-status from the node you're running the vault login from? You may also wish to increase the client timeout, like so: export VAULT_CLIENT_TIMEOUT=300s
Let me know if either of those work for you!

[T0tt1]

Also, looking at some resources for this issue, there might be a problem with network connectivity. Can you run curl $VAULT_ADDR/v1/sys/seal-status from the node you're running the vault login from? You may also wish to increase the client timeout, like so: export VAULT_CLIENT_TIMEOUT=300s
Let me know if either of those work for you!

Thank you for your suggestion.
There is no issue with the network connectivity. Please check below:

sh-4.2$ curl $VAULT_ADDR/v1/sys/seal-status
{"type":"shamir","initialized":true,"sealed":false,"t":obfuscated,"n":obfuscated,"progress":0,"nonce":"","version":"1.9.0","migration":false,"cluster_name":"vault-cluster","cluster_id":"obfuscated","recovery_seal":true,"storage_type":"dynamodb"}
sh-4.2$

Response is received immediately after executing the curl command hence no need to update the timeout period.

[heatherezell]

In some cases, we've seen where the request to AWS may be not responding within the timeout period, which is why I recommend trying to increase that value. Please give it a try and let me know if it works. :)

[T0tt1]

In some cases, we've seen where the request to AWS may be not responding within the timeout period, which is why I recommend trying to increase that value. Please give it a try and let me know if it works. :)

Unfortunately proposed action is not working. I still think this is a bug and is not a misconfiguration on my end.

sh-4.2$ export PRIVATE_IP=$(dig +short obfuscated)
sh-4.2$ export VAULT_ADDR=https://$PRIVATE_IP:8200
sh-4.2$ vault login -method=aws header_value=$PRIVATE_IP role=master-role
Error authenticating: context deadline exceeded
sh-4.2$ export VAULT_CLIENT_TIMEOUT=300s
sh-4.2$ vault login -method=aws header_value=$PRIVATE_IP role=master-role
Error authenticating: Error making API request.

URL: PUT https://obfuscated:8200/v1/auth/aws/login
Code: 400. Errors:

* error looking up full ARN of entity &{aws obfuscated assumed-role  obfuscated i-03_obfuscated}: error fetching role "obfuscated": RequestError: send request failed
caused by: Post https://iam.amazonaws.com/: dial tcp obfuscated:443: i/o timeout
sh-4.2$

[heatherezell]

Can you confirm that you can reach iam.amazonaws.com:443 from your host?

[T0tt1]

Can you confirm that you can reach iam.amazonaws.com:443 from your host?

I confirm that address is reachable.

sh-4.2$ telnet iam.amazonaws.com 443
Trying 52.46.155.37...
Connected to iam.amazonaws.com.
Escape character is '^]'.

[heatherezell]

Thanks, @T0tt1! I appreciate your patience. I'll see what we can find out from our side. :)

[ocharles]

Did anything come of this? I'm hitting exactly this issue, with all the same diagnosis

Edit: I found out my issue was that I had set

resource "vault_aws_auth_backend_role" "nomad_client" {
  ...
  inferred_aws_region  = "us-east-1c"
}

This should actually have been us-east-1