Vault can generate 3 types of AWS credentials:
- Iam_user
- STS assumed_role
- STS federation_token
Today we (Hashi People) get our AWS creds from Doormat. Doormat generates AWS STS credentials valid for 8 hours. An AWS STS credential is made of:
- Access Key
- Secret Key
- Session Token (https://docs.prod.secops.hashicorp.services/doormat/)
Can I still run my demo with Vault AWS Secret Engine? => Unfortunatly not
Why? Because, by default, the credential type used by Vault to communicate with AWS are iam_user. The Vault Secret Engine cannot be configured to take into account the Session Token.
The solution is to let the AWS Secret Engine config empty (without specifying the Access Key and Secret Key).
Vault (or more precisely the AWS SDK used by Vault) will look for Env variables in the current shell.
The idea is to set env variables in the current shell to tell Vault binary what are the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
(This UC is based on this learn tutorial adapted for Doormat assumed role creds https://learn.hashicorp.com/tutorials/terraform/secrets-vault?in=terraform/secrets)
- Verify you don't have any vault running
- export the different AWS env variables (AK/SK + token) provided by Doormat
- Run a local instance of Vault (attached to the same shell process from where you exported the AWS env variables so that the vault instance benefits from them) $ vault server -dev -dev-root-token-id="education" &
- Export the VAULT_TOKEN and VAULT_ADDR
- Configure your Vault like Daniel Bennett in his repo https://github.com/gulducat/learn-terraform-inject-secrets-aws-vault/tree/doormat-example (i.e. Run a terraform apply from ./vault-admin-workspace)
My Vault instance is not a dev instance and it is launched as a service manager from my OS (I am using OSX launchd) How can I inject my AWS Env variable to this shell and how will I update them every 8 hours?
(https://docs.prod.secops.hashicorp.services/doormat/cli/#aws-credential-server-mode)
-
Start doormat in a cred-server mode (in one shell windows)
$ doormat --refresh && doormat aws cred-server
-
export AWS_CONTAINER_CREDENTIALS_FULL_URI (it is already done thru my ~/.zprofile and in my ~/Library/LaunchAgents/environment.plist) (if using environment.plist dont forget to run
$ launchctl load ~/Library/LaunchAgents/environment.plist $ launchctl start ~/Library/LaunchAgents/environment.plist)
$ export AWS_CONTAINER_CREDENTIALS_FULL_URI="http://127.0.0.1:9000/role/se_demos_dev"
-
Run terraform or Vault (or any other program) from the shell knowing the AWS_CONTAINER_CREDENTIALS_FULL_URI variable and it will retrieve the AWS creds automatically
(Thank you to Turtle Kalus and Daniel Bennett for their help on this. For more precise info please reach out to #proj-cloud-auth in slack)