使用aws-sdk和vault gem进行身份验证时出错

时间:2017-02-23 18:34:50

标签: ruby amazon-web-services hashicorp-vault

我使用aws-sdk for rubyvault-ruby作为概念验证脚本。这是代码:

#!/usr/bin/env ruby

require 'vault'
require 'pp'
require 'trollop'
require 'aws-sdk'

opts = Trollop::options do
  opt :verify_ssl, "verify ssl connection"
  opt :address, "Vault Address", :type => :string, :default => "http://localhost:8200"
  opt :username, "Username to authenticate against Vault", :type => :string
  opt :password, "Password to authenticate against Vault", :default => ENV['VAULT_PASSWORD'], :type => :string
end

Trollop::die :username, "please supply a username" if ! opts[:username]
Trollop::die :password, "please supply a password" if ! opts[:password]


# Configure vault
Vault.configure do |config|
  config.address = opts[:address]
  config.ssl_verify = opts[:verify_ssl]
end

Vault.auth.userpass(opts[:username], opts[:password])

aws = Vault.logical.read("aws/creds/readonly")

@client = Aws::EC2::Client.new(access_key_id: aws.data[:access_key].to_s, secret_access_key: aws.data[:secret_key].to_s, region: 'us-west-2')
pp @client.describe_instances

非常简单。它使用用户名密码对vault进行身份验证,从AWS秘密后端检索凭据,然后尝试列出实例。

然而,当我运行它时,我得到以下问题:

/Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call': AWS was not able to validate the provided access credentials (Aws::EC2::Errors::AuthFailure)
    from /Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/aws-sdk-core/plugins/idempotency_token.rb:18:in `call'
    from /Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/aws-sdk-core/plugins/param_converter.rb:20:in `call'
    from /Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/aws-sdk-core/plugins/response_paging.rb:26:in `call'
    from /Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/seahorse/client/plugins/response_target.rb:21:in `call'
    from /Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/seahorse/client/request.rb:70:in `send_request'
    from /Users/l/.rvm/gems/ruby-2.3.1/gems/aws-sdk-core-2.7.13/lib/seahorse/client/base.rb:207:in `block (2 levels) in define_operation_methods'
    from aws.rb:33:in `<main>'

这没有任何意义。如果我使用以下命令打印它创建的凭据:

puts aws.data[:access_key]

然后修改连接以使信息被编码:

@client = Aws::EC2::Client.new(access_key_id: "access_key", secret_access_key: "secret_key" ,region: 'us-west-2')

它完全没有问题!

为什么会这样?

0 个答案:

没有答案
相关问题
最新问题