AWS vault spring boot error making upstream request: received error code 403 from STS #885
Description
Hello,
i use vault v1.17.5 and org.springframework.vault:spring-vault-core:3.1.2
When using kv_v1 secrets i get an error after 6 hours and i don’t know why.
Until the 6 hour mark the kv-secrets are refreshed regularly and auth/token/renew-self
and auth/aws-iam/login are called successfully every 1 hour.
But after 6 hours i get “error making upstream request: received error code 403 from STS: The security token included in the request is expired”:
{
"auth": {
"policy_results": {
"allowed": true
},
"token_type": "default"
},
"request": {
"data": {
"iam_http_request_method": "POST",
"iam_request_body": "QWNwNi0xNQ==",
"iam_request_headers": "eyJBdJdfQ==",
"iam_request_url": "aHR0vbS8=",
"role": "studiomiddleware-api-dev"
},
"id": "1bf4dec9-203d-64b7-faa7-72abdcd5316f",
"mount_accessor": "auth_aws_ec607cf2",
"mount_class": "auth",
"mount_point": "auth/aws-iam/",
"mount_running_version": "v1.17.5+builtin.vault",
"mount_type": "aws",
"namespace": {
"id": "root"
},
"operation": "update",
"path": "auth/aws-iam/login",
"remote_address": "10.61.72.126",
"remote_port": 57848
},
"response": {
"data": {
"error": "error making upstream request: received error code 403 from STS: <ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n <Error>\n <Type>Sender</Type>\n <Code>ExpiredToken</Code>\n <Message>The security token included in the request is expired</Message>\n </Error>\n <RequestId>52673536-1adc-4942-b253-7e09ed4d24aa</RequestId>\n</ErrorResponse>\n"
},
"mount_accessor": "auth_aws_ec607cf2",
"mount_class": "auth",
"mount_point": "auth/aws-iam/",
"mount_running_plugin_version": "v1.17.5+builtin.vault",
"mount_type": "aws"
},
"time": "2024-09-20T17:47:55.325205678Z",
"type": "response"
}
This doesnt correspond to the ttl of the “aws-iam” auth backend which is set to 3 hours and also not to the roles STS 1 hour maximum ttl.
I don’t understand where this 6 hour expiration comes from.
Anybody have an idea?