Problem with VAULT_ASSUMED_ROLE_ARN and external vault

Hi, I am calling vault-lambda-extension version 23.
It works perfectly when VAULT_AUTH_ROLE and labmda function execution role are the same.
I am using it with external VAULT.
When I set up VAULT_ASSUMED_ROLE_ARN it stops working. Error log is below.

INIT_START Runtime Version: python:3.13.v50	Runtime Version ARN: arn:aws:lambda:eu-central-1::runtime:83a0b29e480e14176225231a6e561282aa7732a24063ebab771b15e4c1a2c71c
2025-07-29T13:09:35.783Z [INFO]  Starting Vault Lambda Extension 0.0.0-dev
2025-07-29T13:09:35.783Z [INFO]  vault-lambda-extension: Initialising
2025-07-29T13:09:35.783Z [DEBUG] vault-lambda-extension.vault-client: fetching token
2025-07-29T13:09:35.783Z [DEBUG] vault-lambda-extension.vault-client: authenticating to Vault
2025-07-29T13:09:35.783Z [DEBUG] vault-lambda-extension.vault-client: Trying to assume role with arn of VVVVVVVVVVVVVVVVV to authenticate with Vault
EXTENSION	Name: vault-lambda-extension	State: Started	Events: []
INIT_REPORT Init Duration: 9999.76 ms	Phase: init	Status: timeout
2025-07-29T13:09:45.788Z [INFO]  Starting Vault Lambda Extension 0.0.0-dev
2025-07-29T13:09:45.788Z [INFO]  vault-lambda-extension: Initialising
2025-07-29T13:09:45.788Z [DEBUG] vault-lambda-extension.vault-client: fetching token
2025-07-29T13:09:45.788Z [DEBUG] vault-lambda-extension.vault-client: authenticating to Vault
2025-07-29T13:09:45.788Z [DEBUG] vault-lambda-extension.vault-client: Trying to assume role with arn of VVVVVVVVVVVVVVVVV to authenticate with Vault
EXTENSION	Name: vault-lambda-extension	State: Started	Events: []
INIT_REPORT Init Duration: 3000.53 ms	Phase: invoke	Status: timeout
START RequestId: b334b05c-5fcf-4347-b299-b4fcfa9a2282 Version: $LATEST
END RequestId: b334b05c-5fcf-4347-b299-b4fcfa9a2282
REPORT RequestId: b334b05c-5fcf-4347-b299-b4fcfa9a2282	Duration: 3000.00 ms	Billed Duration: 3000 ms	Memory Size: 128 MB	Max Memory Used: 26 MB	Status: timeout


I suppose it is calling https://github.com/hashicorp/vault-lambda-extension/blob/main/internal/vault/client.go
I see "Trying to assume role with arn of" from the code below, but it is not followed neither by an error message nor "Assumed role successfully"
c.logger.Debug(fmt.Sprintf("Trying to assume role with arn of %s to authenticate with Vault", roleToAssumeArn))
		sessionName := "vault_auth"

		result, err := c.stsSvc.AssumeRole(&sts.AssumeRoleInput{
			RoleArn:         &roleToAssumeArn,
			RoleSessionName: &sessionName,
		})
		if err != nil {
			return fmt.Errorf("failed to assume role with arn of %s %w", roleToAssumeArn, err)
		}

		c.logger.Debug(fmt.Sprintf("Assumed role successfully with token expiration time: %s ", result.Credentials.Expiration.String()))
Can you have a look at it and advise me where to find the error message? Thanks a lot.

Log from a successful run without VAULT_ASSUMED_ROLE_ARN
2025-07-29T13:21:01.476Z [DEBUG] vault-lambda-extension: initialising proxy mode
2025-07-29T13:21:01.476Z [DEBUG] vault-lambda-extension: proxy mode initialised in 205.559µs
2025-07-29T13:21:01.476Z [INFO]  vault-lambda-extension: Initialised in 1.21634105s
2025-07-29T13:21:01.476Z [INFO]  vault-lambda-extension: Starting HTTP proxy server
6de3d498-ff92-43fa-a63a-ea16e72ebdbc2025-07-29T13:21:01.478Z [INFO]  vault-lambda-extension: Waiting for event...
Loading function
EXTENSION	Name: vault-lambda-extension	State: Ready	Events: [INVOKE, SHUTDOWN]
2025-07-29T13:21:34.165Z [INFO]  vault-lambda-extension: Received event
2025-07-29T13:21:34.165Z [INFO]  vault-lambda-extension: Received shutdown event, exiting
2025-07-29T13:21:34.165Z [INFO]  vault-lambda-extension: Graceful shutdown complete		
	

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Problem with VAULT_ASSUMED_ROLE_ARN and external vault #178

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Problem with VAULT_ASSUMED_ROLE_ARN and external vault #178

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions