Introduction
This guide addresses a common issue users face when reconfiguring or deleting the AWS Secrets Engine in HashiCorp Cloud Platform (HCP) Vault Dedicated. The problem typically arises after deleting AWS roles manually, resulting in errors when attempting to manage the AWS Secrets Engine. This article provides detailed steps to resolve these issues and ensure proper configuration.
Symptoms
Users may encounter errors similar to the following when attempting to disable or reconfigure the AWS Secrets Engine:
Root Cause
This issue occurs when the AWS IAM roles or users created by Vault are manually deleted in AWS, leaving Vault unable to revoke the corresponding credentials properly.
Resolution Steps
Step 1: Force Unmount the AWS Secrets Engine
Force unmount the AWS secrets engine to bypass the standard revocation process:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault write sys/mounts/aws/tune force_unmount=true
Success! Data written to: sys/mounts/aws/tune
Step 2: Disable the AWS Secrets Engine
Disable the AWS secrets engine:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault secrets disable aws
Success! Disabled the secrets engine (if it existed) at: aws/
Step 3: List and Revoke Leases
Identify and revoke the remaining leases associated with the AWS credentials:
1. List the Leases:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault list sys/leases/lookup/aws/creds/my-role
Keys
----
0i91llfYEzTDe9GMp6O.3J6X
W7s15ZLLFbYilGQcoYl.3J6X
1GsTkr1nhndz6gVpsil.3J6X
7NbbWIWF5yeb8TRRUu9.3J6X
2. Revoke Each Lease Individually:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault lease revoke -force -prefix aws/creds/my-role/your_lease_id
Warning! Force-removing leases can cause Vault to become out of sync with
secret engines!
Success! Force revoked any leases with prefix: aws/creds/my-role/your_lease_id
Step 4: Verify and Reconfigure the AWS Secrets Engine
Once all leases are revoked, you can re-enable and configure the AWS secrets engine:
1. Enable the AWS Secrets Engine:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault secrets enable aws
Success! Enabled the aws secrets engine at: aws/
2. Configure the AWS Credentials again:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault write aws/config/root \
access_key=<your access key> \
secret_key=<your secret key> \
region=<your region>
Success! Data written to: aws/config/root
3. Define an AWS Role:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault write aws/roles/my-role \
credential_type=iam_user \
policy_document=-<<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
EOF
Success! Data written to: aws/roles/my-role
4. Adjust the Default Lease TTL (if needed):
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault secrets tune -default-lease-ttl=2m -max-lease-ttl=2m aws/
Success! Tuned the secrets engine at: aws/
5. Verify the Credentials:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault read aws/creds/my-role
Key Value
--- -----
lease_id aws/creds/my-role/mtK4lQn.3Jg6X
lease_duration 2m
lease_renewable true
access_key AKIA2W2YQFMZQ
secret_key 7dERwU27g29C8
security_token <nil>
Common Issues and Troubleshooting
- Invalid Client Token ID: Ensure that the AWS credentials configured in Vault are correct and have the necessary permissions.
- NoSuchEntity Error: This indicates that the corresponding IAM user or role in AWS cannot be found. Ensure the IAM user or role exists or follow the steps above to clean up the invalid entries.
Conclusion
Following these steps, you can resolve issues related to the AWS Secrets Engine in HCP Vault Dedicated, ensuring a clean and properly configured state. If you encounter further issues, please contact HashiCorp Support for assistance.
References