Integrate AWS Secret Engine with HashiCorp Vault
AWS can be accessed using IAM credentials. These could be long-term credentials like IAM Users or short-term credentials like assumed roles or federation tokens.
Managing these credentials starts with sharing them, where-in a secure communication route and process has to be followed. Moreover, auditing these users centrally (e.g., across AWS accounts) is more complex. These credentials must also be rotated per AWS/Organization Security Policies. Long-term access keys for IAM Users also are always at risk of exposure.
HashiCorp Vault with its “AWS secrets engine” can be used to generate on-demand, short-living access credentials dynamically based on IAM policies.
Use AWS Secret Engine using Vault UI
- On the Vault homepage, select “Enable new engine”, Select “AWS” and click on “next”:
- Configure AWS Root credentials:
Generate AWS IAM User credentials [1] and enter the details below:
This configuration allows Vault to run API calls on AWS using these credentials.
You need to make sure that the permissions provided to the root IAM user allow it to create an IAM User.
Long-term credentials are not the only configuration option possible, Vault uses the official AWS SDK and will use the specified credentials, environment credentials, shared file credentials, or IAM role/ECS task credentials in that order.
Create a role to dynamically generate IAM credentials
You can either use an AWS Managed policy to restrict the actions that the dynamically generated users are allowed to perform or a custom policy with a specific policy document.
Generate short-term credentials:
An IAM User with a policy used in the Vault role gets generated. The access key secrets can then be used to interact with AWS.
Vault deletes the IAM user upon reaching the TTL expiration.
Use AWS Secret Engine using Vault CLI
The same steps can be performed using the Vault CLI or the API endpoints.
- Enable AWS secret engine:
vault secrets enable -path=aws_creds aws- Configure AWS Root Credentials:
vault write aws_creds/config/root \
access_key=<access_Key_id> \
secret_key=<secret_key> \
region=<region>- Configure a vault role to generate AWS Credentials:
vault write aws_creds/roles/app-1-role \
credential_type=iam_user \
policy_document=-<<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
EOFOther credential types can be selected. Managed policies, IAM groups, and permission boundaries can also be configured [2].
- Generate AWS Credentials:
vault read aws_creds/creds/app-1-role
Vault creates an IAM user and attaches the specified policy document to the IAM user. It then returns the access key and secret key. This IAM User will also be revoked automatically at the end of TTL configured.
