Requirement:-
HashiCorp Vault AWS auth, allows clients to authenticate using their AWS IAM credentials. In this article, we will explore how to use wildcards in AWS auth to allow specific roles.
Things need to be consider:-
- Before proceeding with the use case we must create the user with valid policy in AWS Account.
- We have to create the SECRET & ACCESS Key of that user.
- We have to create a role to be assume by created user for trust relationship setup with valid policy assigned to it.
- We must have client with valid role, in above case we created a EC2 instance and assigned the role which have valid policy. This role is different from trust relationship role and have valid policy which contains permission for EC2 resources.
- We can't defined the wildcard i.e. asterisk (*), in sts endpoint configuration.
- We can only define the wildcard i.e. asterisk (*) in aws auth role and that must be at the end of the ARN.
- We can pass multiple ARN in bound_iam_principal_arn, which will take multiple ARN's as a list i.e. array.
- Similarly, we can establish a cross-account arrangement in which the user creates in AWS Account A and the trust relationship role and other roles are formed in AWS Account B. Clients (in our case, an EC2 instance) will be present on Remote Accounts, such as AWS Account B or many others.
Solution:-
In order to use wildcards in AWS authentication, we must first define a bound IAM principal ARN. Clients attempting to log in to Vault must have an ARN that matches one of the ARNs tied to the role to which they are attempting to log in. The wildcard character is only permitted at the end of the bound ARN.
For example:-
if the bound ARN was arn:aws:iam::123456789012:*, any principal in AWS account 123456789012 could log in. Similarly, if it was arn:aws:iam::123456789012:role/*, every IAM role in the AWS account could log in.
Let suppose we have the below roles in the AWS Account:-
vault-secondary-role1
, vault-secondary-role2
, vault-secondary-role3
, secondary-role1
, secondary-role2
, aladin-role1
, aladin-role2
And if we want to allow roles beginning with the string names vault-secondary* and aladin* to login to vault using the aws auth method, we can do the following configuration.
*Note:- All the steps are performed on Vault Version 1.14.1
#Here we are configuring the AWS Auth method
[ec2-user@vault-ec2 ~]$ vault auth enable aws
#Success! Enabled aws auth method at: aws/
#Here we are passing the SECRET & ACCESS Key for the user which are present in env variable
[ec2-user@vault-ec2 ~]$ vault write auth/aws/config/client secret_key=$SECRET_KEY access_key=$ACCESS_KEY
#Success! Data written to: auth/aws/config/client
#We are setting up the sts endpoint for assuming the role for vault for setting up the trust relationship
[ec2-user@vault-ec2 ~]$ vault write auth/aws/config/sts/123456789012 sts_role="arn:aws:iam::123456789012:role/vault-trust-relationship-role"
#Success! Data written to: auth/aws/config/sts/123456789012
#Here we are creating the role with name vault-role which will only allow role name starting with (string)name vault-secondary* and aladin*
[ec2-user@vault-ec2 ~]$ vault write auth/aws/role/vault-role auth_type=iam bound_iam_principal_arn="arn:aws:iam::123456789012:role/vault-secondary*, arn:aws:iam::123456789012:role/aladin*" policies=admin
#Success! Data written to: auth/aws/role/vault-role
#Here we are login from EC2 instance to Vault and we have assigned vault-secondary-role1 role to EC2 instance
[ec2-user@vault-ec2 ~]$ vault login -method=aws role=vault-role header_vaule=http://$VAULT_ADDR:8200
#Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
#Key Value
#--- -----
#token hvs.CAESIM2V_KeUlfp06QT5e7pZ8xScN2i4rprbbp6KEMm0YRzqGh4KHGh2cy5oU2ZvTUx1d1h1V0dySVhzR2RiR3RNMHY
#token_accessor Y96PlvFnwwddW7Ctpj68udzL
#token_duration 768h
#token_renewable true
#token_policies ["admin" "default"]
#identity_policies []
#policies ["admin" "default"]
#token_meta_account_id 123456789012
#token_meta_auth_type iam
#token_meta_role_id 2adbfbdd-4052-3389-1f35-b2a0e0987887
#This time we have assigned secondary-role1 role to EC2 instance and then trying to login into the vault
[ec2-user@vault-ec2 ~]$ vault login -method=aws role=vault-role header_vaule=http://$VAULT_ADDR:8200
#Error authenticating: Error making API request.
#URL: PUT http://$VAULT_ADDR:8200/v1/auth/aws/login
#Code: 400. Errors:
#* IAM Principal "arn:aws:sts::123456789012:assumed-role/secondary-role1/i-0571686275775f613" does not belong to the role "vault-role"
References:-