Skip to contents

AWS & Vault CloudFormation Templates

Ben Gonzalez

2024-07-10

Source: vignettes/awscftemplates.Rmd
awscftemplates.Rmd

Vault AWS IAM User

Below is an AWS cloud formation template that will create an IAM User for interacting with Vault.

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  VaultIAMUserName:
    Description: IAM User Name for interacting with Vault
    Type: String
    Default: vaultauthentication
Resources:
  VaultIAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref VaultIAMUserName
      Path: "/"
      Policies:
      - PolicyName: vaultiamuserauth
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - ec2:DescribeInstances
                - iam:GetInstanceProfile
                - iam:GetUser
                - iam:ListRoles
                - iam:GetRole
                - iam:CreateUser
                - iam:PutUserPolicy
              Resource: '*'
Outputs:
  IAMUserName:
    Description: IAM User Name
    Value: !Ref VaultIAMUser
  IAMUserArn:
    Description: IAM User Arn
    Value: !GetAtt VaultIAMUser.Arn

Vault AWS IAM Role

Below is an AWS cloud formation template that will create an IAM Role for interacting with Vault.

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  VaultIAMRoleName:
    Description: IAM Role Name for interacting with Vault
    Type: String
    Default: vaultauthentication
Resources:
  VaultIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref VaultIAMRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
  VaultIAMRolePolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: vaultiamroleauth
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - ec2:DescribeInstances
              - iam:GetInstanceProfile
              - iam:GetUser
              - iam:GetRole
            Resource: '*'
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Resource:
              - !Join ['',['arn:aws:iam::',!Ref AWS::AccountId,':role/',!Ref VaultIAMRoleName]]
          - Sid: ManageOwnAccessKeys
            Effect: Allow
            Action:
              - iam:CreateAccessKey
              - iam:DeleteAccessKey
              - iam:GetAccessKeyLastUsed
              - iam:GetUser
              - iam:ListAccessKeys
              - iam:UpdateAccessKey
            Resource:
              - !Join ['',['arn:aws:iam::*:user/',!Ref VaultIAMRoleName]]
      Roles:
      - !Ref VaultIAMRole
  VaultIAMInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Ref VaultIAMRoleName
      Path: "/"
      Roles:
      - !Ref VaultIAMRole
Outputs:
  IAMRoleName:
    Description: IAM Role Name
    Value: !Ref VaultIAMRole
  IAMRoleArn:
    Description: IAM Role Arn
    Value: !GetAtt VaultIAMRole.Arn