Generate AWS Creds via HarshiCorp Vault with OIDC Auth Method

How to use HarshiCorp Vault integrated with OIDC Provider to generate temporary AWS Credentials (Access Key ID/Secret and Token) and access AWS resources restrictedly.

(This article doesn’t include how to setup Vault services and setup Vault OIDC backend to your OIDC provider)

Photo by Jan Antonin Kolar on Unsplash

Prerequisites

Vault client : you will need to interact with Vault by running Vault Cli locally
Vault Server: A running Vault instance
AWS Account: AWS Account with IAM access
OIDC Provider: Identity Service provides OIDC

Diagram

1. Orange Line: Developers login to Vault via OIDC to get Vault token
2. Blue Line: Developers use the Vault token to generate AWS creds by calling Vault AWS Secret Engine. Vault checks Policy and Role mapping then assumed-role to AWS IAM Role to get temporary credentials
3. Green Line: Developers access AWS resources with temp keys and token. AWS check IAM policy togrant restricted access.

Step by Step

AWS IAM Role and Policy:

1. Create an IAM role with a IAM policy.
IAM policy defines the AWS resources Developers are allowed to access.

2. Add Vault Instance Role to Trust relationships
(Allow Vault to assumed-role)

Policy Document example:

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::<account numbers>:role/vault-instance-role”
 },
 “Action”: “sts:AssumeRole”
 }
 ]
}

Vault AWS Secret Engine / Roles

1. Enable AWS Secret Engine and configure IAM credentials

2. Create Vault AWS Role with assumed-role
*Use credential_type=assumed_role instead of iam_user to prevent Vault creating many temporary users

Vault OIDC Backend / Roles and Policy

1. Enable Vault OIDC Backend
2. Create Vault Policy to allow to read aws/creds/<vault-aws-role-name>

path “aws/creds/<vault-aws-role-name>” {
 capabilities = [“read”, “list”]
}

3. Create OIDC Role map to the policy

vault write auth/oidc/role/<oidc-role-name> -<<EOF
{
 “user_claim”: “email”,
 “allowed_redirect_uris”: [“http://oidc_redirect_uri"],
 “role_type”: “oidc”,
 “policies”: “<policy-name>”,
 “groups_claim”: “groups”,
 “bound_claims”: { “groups”: “group_name” },
 “oidc_scopes”: [“openid”,”email”,”groups”,”profile”],
 “token_policies”: [“<policy-name>”],
 “user_claim”: “email”,
 “verbose_oidc_logging”: “false”
}
EOF

Test

1. Login Vault

export VAULT_ADDR=”https://your.vault.address"
vault login -method=oidc role=<role-name>

Depends on your oidc service provider, the oidc login page will popup on the browser. Enter the credential and close the browser window. You should see the Vault token as below:

2. Generate AWS credentials

vault read aws/creds/<vault-aws-role-name>

You should get AWS access_key, secret_key and security_token:

Export keys and token to environment variables or save them to ~/.aws/credentials then you will be good to go!

Hope this article gave you the concept how to generate temporary AWS credentials via Vault and helped you to make AWS Access more secure.