These are python 2 and 3 snippets showing how to generate headers to authenticate with HashiCorp's Vault using the AWS authentication method. There's also a Ruby implementation which uses version 3 of the AWS SDK for Ruby.
The python scripts look for credentials in the
default boto3 locations;
if you need to supply custom credentials (such as from an AssumeRole
call), you would use the
botocore.session.set_credentials
method before calling create_client
.
The ruby script looks for credentials from the default SDK locations.
Thanks to @copumpkin for much of the original python 2 implementation (provided privately) on which this was based.
Thanks to @stark525 for starting the python 3 port, on which the python 3 implementation is based.
The problem with using boto is that it hides how boto generates the signature!
Understanding how the signature is generated is key if you are not using boto!
From the script below, you need extract the sig 4 headers and pass them in the iam_request_headers sent to vault (see at the bottom)
like this
also remember to modify the code above when you are using the additional and strongly-recommended header seen in boto code