Generate AWS Creds via HarshiCorp Vault with OIDC Auth Method
How to use HarshiCorp Vault integrated with OIDC Provider to generate temporary AWS Credentials (Access Key ID/Secret and Token) and access AWS resources restrictedly.
(This article doesn’t include how to setup Vault services and setup Vault OIDC backend to your OIDC provider)
Prerequisites
Vault client : you will need to interact with Vault by running Vault Cli locally
Vault Server: A running Vault instance
AWS Account: AWS Account with IAM access
OIDC Provider: Identity Service provides OIDC
Diagram
- Orange Line: Developers login to Vault via OIDC to get Vault token
- Blue Line: Developers use the Vault token to generate AWS creds by calling Vault AWS Secret Engine. Vault checks Policy and Role mapping then assumed-role to AWS IAM Role to get temporary credentials
- Green Line: Developers access AWS resources with temp keys and token. AWS check IAM policy togrant restricted access.
Step by Step
AWS IAM Role and Policy:
1. Create an IAM role with a IAM policy.
IAM policy defines the AWS resources Developers are allowed to access.
2. Add Vault Instance Role to Trust relationships
(Allow Vault to assumed-role)
Policy Document example:
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::<account numbers>:role/vault-instance-role”
},
“Action”: “sts:AssumeRole”
}
]
}
Vault AWS Secret Engine / Roles
- Enable AWS Secret Engine and configure IAM credentials
2. Create Vault AWS Role with assumed-role
*Use credential_type=assumed_role instead of iam_user to prevent Vault creating many temporary users
Vault OIDC Backend / Roles and Policy
- Enable Vault OIDC Backend
- Create Vault Policy to allow to read
aws/creds/<vault-aws-role-name>
path “aws/creds/<vault-aws-role-name>” {
capabilities = [“read”, “list”]
}
3. Create OIDC Role map to the policy
vault write auth/oidc/role/<oidc-role-name> -<<EOF
{
“user_claim”: “email”,
“allowed_redirect_uris”: [“http://oidc_redirect_uri"],
“role_type”: “oidc”,
“policies”: “<policy-name>”,
“groups_claim”: “groups”,
“bound_claims”: { “groups”: “group_name” },
“oidc_scopes”: [“openid”,”email”,”groups”,”profile”],
“token_policies”: [“<policy-name>”],
“user_claim”: “email”,
“verbose_oidc_logging”: “false”
}
EOF
Test
1. Login Vault
export VAULT_ADDR=”https://your.vault.address"
vault login -method=oidc role=<role-name>
Depends on your oidc service provider, the oidc login page will popup on the browser. Enter the credential and close the browser window. You should see the Vault token as below:
2. Generate AWS credentials
vault read aws/creds/<vault-aws-role-name>
You should get AWS access_key, secret_key and security_token:
Export keys and token to environment variables or save them to ~/.aws/credentials
then you will be good to go!
Hope this article gave you the concept how to generate temporary AWS credentials via Vault and helped you to make AWS Access more secure.