AWS Secrets Engine - HashiCorp Vault

This is a continuation of this article.

Vault supports three different types of credentials to retrieve from AWS:

  1. iam_user: Vault will create an IAM user for each lease, attach the managed and inline IAM policies as specified in the role to the user, and if a permissions boundaryis specified on the role, the permissions boundary will also be attached. Vault will then generate an access key and secret key for the IAM user and return them to the caller. IAM users have no session tokens and so no session token will be returned. Vault will delete the IAM user upon reaching the TTL expiration.
  2. assumed_role: Vault will call sts:AssumeRoleand return the access key, secret key, and session token to the caller.
  3. federation_token: Vault will call sts:GetFederationTokenpassing in the supplied AWS policy document and return the access key, secret key, and session token to the caller.

A secrets engine is a component of Vault that is responsible for storing and managing secrets. Vault supports multiple secrets engines, including key-value store, database secrets, Active Directory, AWS, and more.

I will focus on AWS on this guide. The AWS secrets engine generates AWS access credentials dynamically based on IAM policies. This generally makes working with AWS IAM easier, since it does not involve clicking in the web UI. Additionally, the process is codified and mapped to internal auth methods (such as LDAP). The AWS IAM credentials are time-based and are automatically revoked when the Vault lease expires.

Create a new policy that grants the necessary permissions to enable the AWS secrets engine

Use the new token to enable the AWS secrets engine, on the terminal paste:

export VAULT_TOKEN=<new-token>
💡
Don't store the root token in the bash_profile or others since the root token will be able to unlock your passwords.

Next, create the policy:

vault token create -policy=aws-policy -format=json

Enable the AWS secrets engine:

vault secrets enable aws

You should get the following message:

Success! Enabled the aws secrets engine at: aws/

Now that you have enabled the AWS secrets engine in Vault, you can start configuring the secrets engine and create AWS access keys and secrets. Here are the next steps:

Configure the AWS secrets engine

You need to configure the AWS secrets engine with your AWS credentials and the AWS region you want to use.

Create an AWS IAM User

It is recommended to create a new IAM user specifically for Vault, rather than using the AWS root user credentials. This provides better security and audibility, as you can track and control the actions performed by the Vault IAM user.

Once you create the user, you'll need to create the access keys. Tap on the user and go to security credentials and tap on "Create access key".

Create an AWS IAM policy:

On AWS GUI create a policy so it's read only to the service that you want, for example the dev environment of Amplify.

Create a new group and a new custom policy and add to the policy read only access to Amplify app so the user can pull the data from Amplify dev environment.

Configure the credentials that Vault uses to communicate with AWS to generate the IAM credentials:

You can use the following command to configure the AWS secrets engine (the code below is an example, replace the values with yours):

vault write aws/config/root \
    access_key=AKIAJWVN5Z4FOFT7NLNA \
    secret_key=R4nm063hgMVo4BTT5xOs5nHLeLXA6lar7ZJ3Nt0i \
    region=us-east-1

You should get the following message: "Success! Data written to: aws/config/root"

Now that you have configured the AWS secrets engine in Vault with your AWS credentials, you can proceed to create roles in Vault that map to IAM policies. Roles allow you to generate AWS access keys and secrets that have specific permissions in AWS.

You can then verify the configuration by running the following command:

vault list aws/config