Unable to vault AWS Access Key.
search cancel

Unable to vault AWS Access Key.

book

Article ID: 374693

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The problem was identified when an error message appeared: "Unable to vault AWS Access Key. Error: PAM-CM-3391: AWS Key Pair can be changed only by random generation."

This is observed for AWS keys associated with users using IAM/paths

Cause

The issue arose due to the account being created/moved to a custom "user" path.

PAM tomcat logs:

2024-07-26T19:41:43.435+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.AwsAccessCredentialsTargetManager] com.cloakware.cspm.server.plugin.targetmanager.AwsAccessCredentialsTargetManager.verifyCredentials AWS Credential Type: SECRET_ACCESS_KEY
2024-07-26T19:41:43.436+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.AwsAccessCredentialsTargetManager] com.cloakware.cspm.server.plugin.targetmanager.AwsAccessCredentialsTargetManager.verifyCredentials AWS Cloud Type: commercial
WARN | SSL Certificate checking for endpoints has been explicitly disabled.
2024-07-26T19:41:43.723+0000 SEVERE [TP16] com.cloakware.cspm.server.app.impl.AddTargetAccountCmd.invoke AddTargetAccountCmd.invoke 6132: AwsAccessCredentialsTargetManager.updateCredentials. User tried to change the username and password without using a password generation.
com.cloakware.cspm.server.app.ApplicationException: AwsAccessCredentialsTargetManager.updateCredentials. User tried to change the username and password without using a password generation.
  at com.cloakware.cspm.server.plugin.targetmanager.AwsAccessCredentialsTargetManager.updateCredentials(AwsAccessCredentialsTargetManager.java:106)
  at com.cloakware.cspm.server.app.TargetManager.performUpdateLegacy(TargetManager.java:913)
  at com.cloakware.cspm.server.app.TargetManager.performUpdate(TargetManager.java:878)
  at com.cloakware.cspm.server.app.TargetManager.run(TargetManager.java:780)

Cloud Trail/AWS region/events showing:

  "errorCode": "AccessDenied",
    "errorMessage": "User: XXX:aws:iam::9999999999999:user/XXX/”user account” is not authorized to perform: iam:DeleteAccessKey on resource: user nulluseraccount because no identity-based policy allows the iam:DeleteAccessKey action",

Resolution

AWS admin updated the policy for the user to include any path and that appears to be working for them. This policy is what is the minimum needed to add/rotate AWS Access Credentials now.

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "iam:ListUsers",

                "iam:GetAccountSummary"

            ],

            "Resource": "*"

        },

        {

            "Effect": "Allow",

            "Action": [

                "iam:*AccessKey*",

                "iam:GetUser"

            ],

            "Resource": [

                "arn:aws:iam::*:user/${aws:username}",

                "arn:aws:iam::*:user/*/${aws:username}"

            ]

        }

    ]

}

Powered by Wolken Software