Vault authentication fails post AWS SDK upgrade with error SignatureDoesNotMatch

Avatar
Anuja Saini
  • Updated

Introduction:

Following upgrades of AWS SDK users using Vault with AWS auth method are experiencing login failures. The root cause traces back to changes in how AWS STS handles region-scoped credentials, leading to compatibility issues unless explicit region parameters are passed.

 

Problem:

Vault login attempts using AWS auth method fails with a 403 error when the region is not explicitly provided. This behavior is observed both via CLI and application-level integrations after AWS SDK upgrade.

Example CLI error:

$ vault login -token-only -method=aws role=vault-example region=us-west-2
Error authenticating: Error making API request.

URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 400. Errors:

* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region. </Message>
  </Error>
  <RequestId>f6fbd98b-2ddc-492a-8eb5-15904abcdfre47</RequestId>
</ErrorResponse>

 

Cause:

This issue is a result of changes in the AWS STS, where regional endpoints are now required instead of relying on global endpoints. The newer AWS SDK enforce stricter region validation during authentication processes. 

 

Solution:

To resolve the SignatureDoesNotMatch error, configure Vault AWS Auth Method to use the correct STS region. You can enable the use_sts_region_from_client option in the aws/config/client settings, which tells Vault to respect the region provided in the login request.

Alternatively, you can explicitly set the sts_endpoint and sts_region parameters to define which AWS STS endpoint Vault should use for authentication. These configurations align with AWS SDK changes and ensure region-scoped credentials are properly validated.

 

Conclusion:

Changes introduced in AWS SDK v2 affect how regions are selected by default. When using Vault with AWS IAM authentication, it will use regional STS endpoints for authentication instead of Global STS endpoint. Referencing the AWS SDK documentation helps in understanding these changes and implementing proper region configuration to prevent authentication issues such as SignatureDoesNotMatch.

 

References:

AWS Region

AWS STS regional endpoint documentation

AWS Auth Method

STS Endpoint

 

 

Articles in this section

See more

Related articles