Vault removes created AWS IAM user with a valid lease when the ldap credential expires

[nshazly]

Describe the bug
LDAP is configured with a ttl of 5m and a max_tll of 1h and AWS engine is used to generate keys for an IAM user, the aws user is removed when the ldap token expires after 5m. The AWS engine is set to have a default ttl of 1h and a max of 8h.

To Reproduce
Steps to reproduce the behavior:

1. Configure the ldap/aws ttl's, enable the aws plugin

vault auth tune -max-lease-ttl=1h -default-lease-ttl=5m ldap 
vault secrets enable -path=aws-development-users \
    -description="Access consul-backup S3 bucket" \
    -default-lease-ttl="1h" \
    -max-lease-ttl="12h" \
    -plugin-name=aws aws
 * role setup
vault write aws/roles/mydevrole \
    credential_type=iam_user \
    user_path=/vault-users/ \
    policy_arns=arn:aws:iam:::policy/mypolicy
vault write aws-development-users/config/lease lease=1h lease_max=12h

2. Run vault login....

vault login -method=ldap username=testuser
#get the s3 keys
vault read aws/roles/mydevrole
OUTPUT:
Key                Value
lease_id           aws/creds/mydevrole/aKk2OaZKRQf8AumWSb1BA589
lease_duration     1h
lease_renewable    true
access_key         xxxxxxxxxxxxx
secret_key         xxxxxxxxxxxxxxxxxxx
security_token     <nil>

3. See error
   After 5 minutes, this user is removed from AWS. IF the ldap session is renewed, the user will stay. If the ldap token is revoked. The user is removed.
   Expected behavior
   The created s3 user should not be removed until the lease id expires. I expect this to be independent of the ldap token.

Environment:

• Vault Server Version (retrieve with vault status):

Key                      Value
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.4.3
Cluster Name             vault-cluster
Cluster ID               xxxxxxxxxxxxxxxxxxxxxxxxxxx
HA Enabled               true
HA Cluster               https://vault-1.vault-internal:8201
HA Mode                  standby
Active Node Address      https://10.206.25.190:8200

• Vault CLI Version (retrieve with vault version):
  v1.4.3
• Server Operating System/Architecture:
  Kubernetes, running in HA with Consul

Vault server configuration file(s):
ui = true

  listener "tcp" {
    tls_disable = "false"
    address = "[::]:8200"
    cluster_address = "[::]:8201"
    tls_cert_file = "/vault/userconfig/ingrooves/tls.crt"
    tls_key_file = "/vault/userconfig/ingrooves/tls.key"
    tls_client_ca_file = "/vault/userconfig/ingrooves/tls.crt"
  }
  storage "consul" {
    path = "vault/"
    address = "consul.ingrooves.com:443"
    scheme = "https"
    tls_ca_file = "/vault/userconfig/ingrooves/tls.crt"
    tls_key_file = "/vault/userconfig/ingrooves/tls.key"
    tls_cert_file = "/vault/userconfig/ingrooves/tls.crt"
    tls_skip_verify = "false"
    token = ""
    service = "vault"
  }

  seal "awskms" {
    region  = ""
    kms_key_id = ""
  }

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context
Add any other context about the problem here.

[royerhq]

+1
I have the same issue described above.
vault version = 1.4.3

[kalafut]

If the ldap token is revoked. The user is removed.

Hi. This is expected behavior. Please see https://www.vaultproject.io/docs/concepts/lease#lease-renew-and-revoke and https://www.vaultproject.io/docs/concepts/tokens#service-tokens-1

[nshazly]

Thanks for the documentation. That makes it clear. This setting was changed so that the UI would timeout and wouldnt be left open in users browsers. Is there another setting that can be changed to enforce that ?

[kalafut]

I'm not as familiar with the UI session handling. @noelledaley do you happen to know ^^^ ?

[royerhq]

@kalafut Thank you for the documentation. I am also sorry for my ignorance but the documentation, to me, didn't come across as, "this is intended behavior."

I see this as two separate settings one is for vault and another one for the AWS engine. So why would one affect the other? I have also noticed, that when I assume roles via vault, my vault LDAP setting has no impact, but it does when I create an IAM user, so the intended behavior doesn't seem to be consistent across the AWS engine.

That said, I am also interested in knowing if there is a way to terminate someones session from vault, without affecting anything else. Some of our users are not "tech savvy" so they use the UI more often. Extending their session in vault will leave their UI expose, as the session is cached in their browser. This means that anyone with access to their computer would now have access to vault's UI and generate any key they want.

[kalafut]

@royerhq The UI session timeout question is valid but I'll have to defer to others on that. I can speak to your other questions though.

The principle is one of a chain of authentication. The idea is that if a token is no longer valid, nor should any of the dynamic secrets issued using that token. If you leave the company and I vault token revoke your token, I can know that any AWS keys, DB creds, etc. that you might have taken with you are revoked too. This also works along the parent-child token chain. If a parent token is revoked, so are all of the child tokens, and any of their children/leases/secrets.

The assume-role case, as well as other short-lived tokens like GCP access tokens, is a little different. With these models there is an typically an expiration time enforced by the service and the tokens are not renewable nor revokeable (you can revoke them en masse by timestamp in AWS, but not individually IIRC). For this type of credential Vault doesn't create a lease.

[chrishoffman]

@kalafut There are no mechanisms other than the token to managed the UI session.

[nshazly]

Thanks, Ill close this ticket. I think it is worth looking into this issue in the context of the UI. The browser can store the session and the user doesnt need to reauthenticate to access secrets.