Skip to contents

AWS & Vault

Ben Gonzalez

2024-07-10

Source: vignettes/awsvault.Rmd
awsvault.Rmd

Creates AWS Resources

Before you configure the HCP Vault AWS auth method, you must create the necessary resources in AWS. The AWS auth method will require an IAM policy that permits the appropriate access for the auth method, an IAM user with programmatic access, and one or more roles that you will assign to other AWS services that require authentication to Vault.

Create the IAM Policy for your IAM User

The below policy needs to be attached to the IAM User you are creating in AWS.

IAM User Cloud Formation Template

Note: You may need to add more IAM permissions if you receive errors authenticating

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "iam:GetInstanceProfile",
                "iam:GetUser",
                "iam:ListRoles",
                "iam:GetRole",
                "iam:CreateUser",
                "iam:PutUserPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Create IAM Policy for your IAM Role

IAM Role Cloud Formation Template

You will now create the IAM policy for your IAM Role. You will need to attach this to your IAM Role to allow Vault to connect to it and authenticate. You can replace vaultauth with the name of the IAM Role and IAM User that you have created.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "iam:GetInstanceProfile",
                "iam:GetUser",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<aws-account-number>:role/vaultauth"
            ]
        },
        {
            "Sid": "ManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/vaultauth"
        }
    ]
}

Create the connections to Vault via AWS IAM User and AWS IAM Role

Enable aws auth on your vault instance.

vault auth enable aws

Check to see if the vault auth aws method has been enabled.

vault auth list

Next connect the IAM role you created in AWS to the Vault aws auth backend. This will configure the AWS auth method with access to your AWS account using the Access key ID and Secret Access Key previously created for the IAM User you created in AWS.

vault write auth/aws/config/client secret_key=<secret-key> access_key=<access-key>

Create Vault role for connection to AWS IAM Role

Configure the AWS auth method to trust the AWS IAM role previously created and attach the vault-policy-for-aws-ec2role to the token provided by the AWS auth method. Replace with the actual IAM Role ARN you created in AWS.

Note: The IAM User Arn will look like the following: arn:aws:iam::<aws-account-number>:user/vaultauth 

vault write auth/aws/role/vaultauth \
     auth_type=iam \
     bound_iam_principal_arn=arn:aws:iam::<aws-account-number>:role/vaultauth \
     policies=default,allinone

List the roles you created for the aws auth method.

vault list /auth/aws/role

Setup authentication to Vault via an IAM Role

  • auth/aws/role/ - this is the name of the role you are creating in vault
  • auth_type=iam - this notes that vault will authenticate via an IAM role
  • bound_iam_principal_arn - this is the IAM Role arn that you will get from your AWS account
  • policies - these are the policy(s) you will associate with your vault role
vault write auth/aws/role/vaultauth auth_type=iam \
              bound_iam_principal_arn=<iam-arn> policies=default,allinonepolicy max_ttl=500h

Setup authentication to Vault via an IAM Role or an ec2 Auth Method 

###Vault role that will authenticate via the ec2 auth method
vault write auth/aws/role/vaultauth auth_type=ec2 bound_ami_id=ami-fce3c696 policies=prod,dev max_ttl=500h
###Create Vault role that allows an IAM role to authenticate with it
vault write auth/aws/role/vaultauth auth_type=iam \
              bound_iam_principal_arn=arn:aws:iam::<aws-account-number>:role/test-iam-vault-auth policies=allinone,dev max_ttl=500

Test your login from an ec2 instance 

vault login -method=aws region=us-east-1 role=vaultauthentication

Test listing secrets 

vault kv get -mount=secret <secret-path>
References

Vault Auth Method

IAM and ec2 Auth Methods

Vault AWS Auth Method API