Skip to content

EC2AWSAuthMethodInfo incorrectly serializes identity/signature as null, causing Vault EC2 auth to fail when using PKCS7-only mode #390

New issue
New issue
Open
Open
EC2AWSAuthMethodInfo incorrectly serializes identity/signature as null, causing Vault EC2 auth to fail when using PKCS7-only mode#390
@QzLP2P

Description

@QzLP2P
QzLP2P
opened on Dec 9, 2025

When using EC2 AWS authentication with PKCS7-only mode, the EC2AWSAuthMethodInfo class always serializes the identity and signature fields as null instead of omitting them. Vault rejects these null fields because it expects identity to be a valid Base64-encoded string when present. As a result, authentication fails with the error: "failed to base64 decode the instance identity document".

This makes PKCS7-only authentication impossible when using EC2AWSAuthMethodInfo in VaultSharp.

VaultSharp Version
1.17.5.1 (NuGet)

Vault Version
Vault OSS 1.17.x (server using AWS EC2 auth method)

Does this work with Vault CLI?
Yes.
Using the Vault CLI, the following payload works correctly:

vault write auth/aws/login pkcs7="$PKCS7" role="my-role"

This proves that PKCS7-only authentication works on the server side.

Sample Code Snippet

var authMethod = new EC2AWSAuthMethodInfo(
    mountPoint: "aws",
    pkcs7: cleanedPkcs7,
    identity: null,
    signature: null,
    nonce: null,
    roleName: "my-ec2-role"
);

var settings = new VaultClientSettings(vaultUrl, authMethod);
var client = new VaultClient(settings);

var token = await client.V1.Auth.PerformLoginAsync();

Even though identity and signature are explicitly passed as null, VaultSharp serializes the request as:

{
  "pkcs7": "MIAGCSqG....",
  "identity": null,
  "signature": null,
  "nonce": null,
  "role": "my-ec2-role"
}

Vault then rejects the request.

Exception Details/Stack Trace/Error Message

"errors":[
   "failed to base64 decode the instance identity document"
]

Server returns HTTP 400.

Full stack trace example:

VaultSharp.Core.VaultApiException: {"errors":["failed to base64 decode the instance identity document"]}
at VaultSharp.Core.Polymath.MakeRequestAsync...
at VaultSharp.V1.AuthMethods.AWS.AWSAuthMethodLoginProvider.GetVaultTokenAsync()

Any additional info:

  • The AWS EC2 auth method supports two mutually exclusive modes:
  1. PKCS7-only mode (pkcs7 present, no identity, no signature)
  2. Identity+Signature mode (identity and signature must both be valid Base64)
  • VaultSharp currently always serializes identity and signature fields, even when set to null.
    This makes PKCS7-only mode impossible.

Adding either of the following fixes the issue:

  • [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
  • [JsonIgnore] on both Identity and Signature properties when pkcs7 is used

As a temporary workaround, a custom implementation of IAuthMethodInfo, or a class that inherits from AbstractAWSAuthMethodInfo, must be created to ensure that only the pkcs7 field is serialized without identity or signature.

A fix in VaultSharp would allow PKCS7-only EC2 auth to work properly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions