Hashicorp Vault AWS Secrets Engine
2 min read Hashicorp

Hashicorp Vault AWS Secrets Engine

In this post I will go over what Hashicorp Vault AWS Secrets Engine is and how to implement it.
Hashicorp Vault AWS Secrets Engine
Photo by Mehmet Ali Peker / Unsplash

In this post I will go over what Hashicorp Vault AWS Secrets Engine is and how to implement it.

The Vault AWS Secrets Engine provides a method of generating single use authentication to AWS by generating Access Keys dynamically based on IAM Policies.

Use Case

This method of generating AWS Access keys is ideal for Deployment pipelines that require access to AWS accounts in order to deploy Infrastructure as well as providing engineers a method of generating Credentials to use locally via the AWS CLI.

Assumptions

  • Vault client is installed on the client machine
  • Vault server is configured
  • You have an AWS Account
  • You have AWS CLI installed and configured

Steps

1. Create an IAM Group for vault:

aws iam create-group --path / --group-name Vault

2. Create a new file named vault-group-policy.json and paste the following code:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachUserPolicy",
                "iam:CreateAccessKey",
                "iam:CreateUser",
                "iam:DeleteAccessKey",
                "iam:DeleteUser",
                "iam:DeleteUserPolicy",
                "iam:DetachUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListUserPolicies",
                "iam:PutUserPolicy",
                "iam:AddUserToGroup",
                "iam:RemoveUserFromGroup"
            ],
            "Resource": ["arn:aws:iam::ACCOUNT_ID:user/vault-*"]
            }
        ]
    }

3. Attach an Inline Policy to the group:

aws iam put-group-policy --group-name Vault --policy-document file://vault-group-policy.json --policy-name VaultGroupPolicy

4. Create a user:

aws iam create-user --user-name Vault

5. Add the user to the Vault group:

aws iam add-user-to-group --user-name Vault --group-name Vault

6. Generate access keys for the Vault group:

aws iam create-access-key --user-name Vault

(remember to save these credentials as we will need them later)

7. Enable the AWS Secret Engine in Vault:

vault secrets enable aws

8. Configure the AWS Engine to use the credentials for the AWS user we created above:    

vault write aws/config/root access_key=$AWS_ACCESS_KEY secret_key=$AWS_ACCESS_SECRET region=eu-west-2

9. Create a vault role that maps to the AWS role we want the user to have:

 vault write aws/roles/admin \
        credential_type=iam_user \
        policy_document=-<<EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
            }
        ]
    }
    EOF

10. Now we can use vault to generate aws access key and secret:

vault read aws/creds/admin

BONUS single liner to set your environment variables:

read AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION \
    < <(echo $(vault read aws/creds/admin -format=json | jq -r \
    '.data.access_key, .data.secret_key') eu-west-2)

You might also like...

Jun
24

Speed up your Terraform init

1 min read
Jun
13

Case Study: De-coupling application from infrastructure deployment pipelines

4 min read
Jun
11

Easily estimate infrastructure costs with terraform

1 min read
Jun
10

Hashicorp Vault SSH Secrets Engine: One-Time SSH Password

1 min read

Popular tags

Hashicorp terraform AWS Linux scripting