Ephemeral AWS Credentials with Vault and Terraform
Vault is a secret management solution provided by Hashicorp, you can not only store static secrets like API keys, Database passwords, Certificates but also you can use it to create just-in-time credentials to interact with your cloud infrastructure. In this blog I am going to cover only the dynamic credentials generation and NOT installation and configuration of Vault Server.
This article will help you to easily spin up AWS resources with a combination of Hashicorp’s Vault & Terraform.
- Terraform will be used as Infrastructure-as-Code tool to first create an IAM role, attached with a policy that can only create EC2 instances.
- Vault will be used to create an ephemeral IAM User with the above IAM role having a TTL of 5 min.
- Finally an EC2 instance will be provisioned by that user
- User will be deleted after TTL expires
- Also a brief intro to Vault alternative — akeyless.io
Prerequisites:
You need a Vault Server running , it can be your local dev machine or in my case , I have a Vault Server running on an EC2 instance.
In case you want to learn about how to get started with Vault(installation and configuration) please refer to official Hashicorp Documentation.
Now off to the good stuff.
Vault Terraform Provider
Vault has first class integration with Terraform , being from the same Hashicorp Ecosystem. I am going to use Vault Provider in order to create a secret backend and an IAM role. With this provider it is very simple to configure and manage Vault, you can write and read secrets from Vault by providing the vault endpoint and vault token.
Create Vault Backend & IAM Role
Let’s first create a folder : iam-role and add some files to it:
resources.tf
default_lease_ttl_seconds = “300” — this will define how long that IAM user will continue to have access to vault backend.
variables.tf
output.tf
now cd iam-role and run terraform plan — you will see an output like this:
Now let’s run terraform apply
Multiple things happened at this time, let’s break it down. First of all, in the Terraform console , you’ll see this:
Two resources have been created , first is a secret engine for AWS and then a role for EC2 admin. Let’s check that on Vault UI:
With the following configuration for Role:
Create an EC2 Instance with a short-lived credential:
Now lets create another folder ec2-instance and add following files :
resources.tf
this module sends out a request to Terraform to provide vault_aws_access_credentials for the role that we created earlier.
variables.tf
No surprises here , same vault url and vault token , additionally you can hardcode AMI or retrieve dynamically from AWS.
Now let’s go to this directory cd ../ec2-instance/
Same drill, run terraform init , followed by terraform plan . You can see the following in Terraform console:
When you run terraform apply , under IAM console — User — you can see a new user being created , this user will be deleted automatically by Vault provider once the lease expires after 300s as defined in the Vault backend (default_lease_ttl_seconds = "300").
On EC2 console, you can see a new instance has been provisioned :
Github Repo : https://github.com/pradiptas/vault-terraform-aws
Clean Up:
As always terraform destroy is our friend.
Akeyless — a Vault Alternative
Installing , configuring and managing a self-hosted Vault Server can be cumbersome unless you go for a enterprise solution. Self-hosted Vault is zero-cost , except for running cost for the VM or K8s Cluster where it is hosted. On the other hand Vault Enterprise can become really expensive depending on the number of secrets and API calls. Recently I came across another SaaS solution Akeyless, it is very easy to get started and scale up with Akeyless. Some points:
- there is a community edition which is free and help you understand the basic concepts of Akeyless.
- Fragments of a single Encryption Key are stored in different cloud providers and are NEVER combined with Akeyless’ patented DFC technology.
- Pricing slabs are well -defined and based on your company’s requirement you can opt for a package.
- Being a complete SaaS offering , there is no effort required for installation, upgrade, configuration or patching.
- Easy integration with popular CI / CD Tools like Circle CI and Github Actions
- Akeyless CLI and Terraform Provider
