Vault fails to refresh AWS STS credentials from Roles Anywhere, causing AWS KMS auto-unseal and snapshot operations to break after token expiration #31625
Description
Describe the bug
When using AWS Roles Anywhere for Vault auto-unseal with AWS KMS, Vault fails to refresh temporary STS credentials obtained via aws_signing_helper.
After approximately one hour (the default STS token lifetime), Vault logs the following error and can no longer perform KMS operations:
The security token included in the request is expired
To Reproduce
Steps to reproduce the behavior:
- Configure Vault to use AWS KMS auto-unseal:
seal "awskms" {
region = "eu-west-3"
kms_key_id = "arn:aws:kms:123456789012:key/abcd-efgh-ijkl"
}- Use an external wrapper script to generate temporary credentials via AWS Roles Anywhere (for exemple):
AWS_CREDS_JSON=$(aws_signing_helper credential-process \
--certificate /etc/pki/vault/vault.crt \
--private-key /etc/pki/vault/vault.key \
--trust-anchor-arn arn:aws:rolesanywhere:eu-west-3:123456789012:trust-anchor/abcd1234 \
--profile-arn arn:aws:rolesanywhere:eu-west-3:123456789012:profile/vault-profile \
--role-arn arn:aws:iam::123456789012:role/vault-unseal-role \
--duration-seconds 3600)
export AWS_ACCESS_KEY_ID=$(echo "$AWS_CREDS_JSON" | jq -r .AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo "$AWS_CREDS_JSON" | jq -r .SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo "$AWS_CREDS_JSON" | jq -r .SessionToken)
export AWS_REGION=eu-west-3
exec vault server -config=/etc/vault.d/config.hcl
- Start Vault.
- Wait for approximately one hour (until STS credentials expire, max 12 hours).
- Observe Vault logs:
[WARN] core.autoseal: seal wrapper health check failed: seal_name=awskms
[707967]: err=
[707967]: | failed to encrypt test value, seal wrapper may be unreachable: error encrypting data: ExpiredTokenException: The security token included in the request is expired
[707967]: | \tstatus code: 400, request id: ********
- Some operations, like snapshot also failed:
[707967]: 2025-10-31T16:56:48.496+0100 [INFO] storage.raft: starting snapshot up to: index=4707358
[707967]: 2025-10-31T16:56:48.498+0100 [INFO] storage.raft: compacting logs: from=4696846 to=4697118
[707967]: 2025-10-31T16:56:48.501+0100 [INFO] storage.raft: snapshot complete up to: index=4707358
[707967]: 2025-10-31T16:56:49.127+0100 [WARN] error encrypting with seal: seal=awskms
[707967]: 2025-10-31T16:56:49.127+0100 [ERROR] failed to encrypt value using any seal wrappers
Expected behavior
Vault should detect that AWS STS credentials have expired and automatically refresh them (or reinitialize the AWS SDK session), allowing continuous access to AWS KMS for auto-unseal.
At minimum, Vault should support credential refresh via credential_process or another mechanism compatible with AWS Roles Anywhere.
Environment:
• Vault Server Version (retrieve with vault status): 1.20.x Enterprise
• Vault CLI Version (retrieve with vault version): 1.20.x
• Server Operating System/Architecture: RHEL 9 (on-premises, behind F5)
• Deployment: on-premise, credentials generated via wrapper script using aws_signing_helper (Roles Anywhere)
seal "awskms" {
region = "eu-west-3"
kms_key_id = "arn:aws:kms:123456789012:key/abcd-efgh-ijkl"
}Additional context
• Vault seems to use AWS SDK for Go v1, which calls session.NewSession() and does not enable SharedConfigState, so it does not read ~/.aws/config or invoke credential_process.
• Because of this, Vault cannot automatically renew credentials obtained from AWS Roles Anywhere (aws_signing_helper).
• Once the STS session expires (depends on configuration, max 12 hours), Vault fails all AWS KMS operations until it is restarted.
• This issue does not affect environments using IAM instance roles (EC2/EKS), as the AWS metadata service automatically refreshes credentials.
• In on-premises deployments, a wrapper script is used at startup to call aws_signing_helper and export the AWS credentials before launching Vault.
• This also impacts any operation that internally uses AWS KMS (e.g. vault operator snapshot save), not just unseal.