Skip to content

Instantly share code, notes, and snippets.

@jeromebaude

jeromebaude/Generate_AWS_creds_with_Vault_from_Doormat.md

Last active January 13, 2021 15:48
Show Gist options
  • Save jeromebaude/b0e741156ae25bff9b42712dde4b7d80 to your computer and use it in GitHub Desktop.
Save jeromebaude/b0e741156ae25bff9b42712dde4b7d80 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Generate_AWS_creds_with_Vault_from_Doormat.md

Generate AWS dynamic credentials with Vault from Doormat credentials

Background

Vault can generate 3 types of AWS credentials:

  • Iam_user
  • STS assumed_role
  • STS federation_token

Today we (Hashi People) get our AWS creds from Doormat. Doormat generates AWS STS credentials valid for 8 hours. An AWS STS credential is made of:

Can I still run my demo with Vault AWS Secret Engine? => Unfortunatly not

Why? Because, by default, the credential type used by Vault to communicate with AWS are iam_user. The Vault Secret Engine cannot be configured to take into account the Session Token.

Solution ?

The solution is to let the AWS Secret Engine config empty (without specifying the Access Key and Secret Key).

Vault (or more precisely the AWS SDK used by Vault) will look for Env variables in the current shell.

The idea is to set env variables in the current shell to tell Vault binary what are the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN

Steps to follow

(This UC is based on this learn tutorial adapted for Doormat assumed role creds https://learn.hashicorp.com/tutorials/terraform/secrets-vault?in=terraform/secrets)

  1. Verify you don't have any vault running
  2. export the different AWS env variables (AK/SK + token) provided by Doormat
  3. Run a local instance of Vault (attached to the same shell process from where you exported the AWS env variables so that the vault instance benefits from them) $ vault server -dev -dev-root-token-id="education" &
  4. Export the VAULT_TOKEN and VAULT_ADDR
  5. Configure your Vault like Daniel Bennett in his repo https://github.com/gulducat/learn-terraform-inject-secrets-aws-vault/tree/doormat-example (i.e. Run a terraform apply from ./vault-admin-workspace)

Humm, Awkward !!

My Vault instance is not a dev instance and it is launched as a service manager from my OS (I am using OSX launchd) How can I inject my AWS Env variable to this shell and how will I update them every 8 hours?

Using Doormat cred-server

(https://docs.prod.secops.hashicorp.services/doormat/cli/#aws-credential-server-mode)

  1. Start doormat in a cred-server mode (in one shell windows)

    $ doormat --refresh && doormat aws cred-server

  2. export AWS_CONTAINER_CREDENTIALS_FULL_URI (it is already done thru my ~/.zprofile and in my ~/Library/LaunchAgents/environment.plist) (if using environment.plist dont forget to run

    $ launchctl load ~/Library/LaunchAgents/environment.plist $ launchctl start ~/Library/LaunchAgents/environment.plist)

    $ export AWS_CONTAINER_CREDENTIALS_FULL_URI="http://127.0.0.1:9000/role/se_demos_dev"

  3. Run terraform or Vault (or any other program) from the shell knowing the AWS_CONTAINER_CREDENTIALS_FULL_URI variable and it will retrieve the AWS creds automatically

(Thank you to Turtle Kalus and Daniel Bennett for their help on this. For more precise info please reach out to #proj-cloud-auth in slack)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment