Introduction
The AWS auth method in HashiCorp Vault provides an automated mechanism to retrieve a Vault token for IAM principals and AWS EC2 instances. This allows users to authenticate with Vault using their AWS credentials.
Here are some key points about the AWS auth method in HashiCorp Vault:
- The AWS auth method requires the following resources in AWS:
-
- IAM policy that permits the appropriate access for the auth method
- IAM user with programmatic access
- One or more roles that will be assigned to other AWS services requiring authentication to Vault.
-
- The AWS auth method can use external X.509 certificates as part of TLS or signature validation.
- Starting in Vault 1.12, only the pkcs7 login flow with the AWS /rsa2048 signature endpoint credentials will work by default due to the deprecation of SHA-1-based signatures.
- The AWS auth method has a full HTTP API that can be used to interact with it.
Important: Please send a request to Hashicorp Support to obtain the Account ID of Hashicorp Cloud Cluster (Vault), i.e. HCP Cloud for cross-account setup therein.
Steps:
Here's an example of how to achieve the Vault AWS authentication method for cross-account access.
Step 1) For this example, let's assume that we have two AWS accounts: the Primary AWS account with an account ID of 111111111111 and the Secondary AWS account with an account ID of 222222222222.
Step 2) First, we need to create the role on Secondary AWS Account ID 222222222222 with
role name trust-relationship-for-primary-aws-and-vault. Add the trust relationship for the
Primary AWS Account the Vault server.
Note: In this example, I have installed Vault on an EC2 instance on the Primary AWS Account, however the case of HCP Vault, we have to trust the HCP Vault Account ID.
Trust relationship when the Vault Server is installed on an EC2 instance with Primary AWS Account ID 111111111111:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/vault-primary"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
OR
Trust relationship when using HCP Vault:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/aws-iamuser-for-vault-authmethod"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::HCP_VAULT_ID:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalArn":"arn:aws:iam::HCP_VAULT_ID:role/HCP-Vault-2b601ff4-54f0-4b4f-b415-c6986c06d5a4-Vault Node"
}
}
}
]
}
This policy secondary-account-role-policy will be assigned to the aws role trust-relationship-for-primary-aws-and-vault.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole"
],
"Resource": "*"
}
]
}
Step 3) Login to Primary AWS Account ID 111111111111 and create the IAM user, using which you want to assume the role in the Secondary AWS account
Step 4) Create a user vault-primary in the Primary AWS Account ID 111111111111.
-> select the radio button "I want to create an IAM user".
-> Select Provide user access to the AWS Management Console - optional checkbox is marked.
-> select radio button "Custom password" & provide the custom password.
-> Uncheck "Users must create a new password at next sign-in".
-> Attach the policy (name is vault-primary-policy) to the user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::222222222222:role/trust-relationship-for-primary-aws-and-vault"
]
},
{
"Effect": "Allow",
"Action": [
"sts:GetFederationToken"
],
"Resource": "*"
},
{
"Sid": "ManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource":"arn:aws:iam::*:user/vault-primary"
}
]
}
Step 5) Create the Access Key & Secret Access Key for the above user vault-primary and select any use case.
Step 6) For the purposes of this example, the Vault Server is installed in the Primary AWS Account ID 111111111111 in an EC2 instance named vault-public with public access.
Step 7) Create two vault clients in the Secondary AWS account in EC2 instances with names client1 and client2 and install the Vault CLI. These clients will be used to login to Vault Server vault-public on the Primary AWS Account.
Step 8) Create two roles in the Secondary AWS Account ID 222222222222, with name vault-secondary-role1 and secondary-role2 using the policy json below.
Policy Name: secondary-account-role-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole"
],
"Resource": "*"
}
]
}
Step 9) Unseal the Vault Server installed on the Primary AWS Account ID 111111111111 and create a policy in root namespace with name admin, which has admin privileges.
Step 10) Enable the aws auth method and configured it as shown:
#export the variable SECRET_KEY_OF_THE_USER_vault-primary & ACCESS_SECRET_KEY_OF_THE_USER_vault-primary
vault login with_root_token vault auth enable aws vault write auth/aws/config/client secret_key=$SECRET_KEY_OF_THE_USER_vault-primary access_key=$ACCESS_SECRET_KEY_OF_THE_USER_vault-primary vault write auth/aws/config/sts/222222222222 sts_role="arn:aws:iam::222222222222:role/trust-relationship-for-primary-aws-and-vault"
Create the role with the name vault-role. I have passed two patterns so that role names starting with vault-secondary* & start with secondary* can login to the vault server.
Note: It is only permissible to pass the wildcard(*) at the end of bound_iam_primcipal_arn only.
vault write auth/aws/role/vault-role auth_type=iam bound_iam_principal_arn="arn:aws:iam::222222222222:role/vault-secondary*, arn:aws:iam::222222222222:role/secondary*" policies=admin
OR
If you want to create the two roles in vault they can be created like the following:
vault write auth/aws/role/vault-role1 auth_type=iam bound_iam_principal_arn="arn:aws:iam::222222222222:role/vault-secondary*" policies=admin vault write auth/aws/role/vault-role2 auth_type=iam bound_iam_principal_arn="arn:aws:iam::222222222222:role/secondary*" policies=admin
Step 11) Attach the IAM role vault-secondary-role1 & secondary-role2 created on Secondary AWS account ID 222222222222 and assign role vault-secondary-role1 to client1 EC2 machine and assign role secondary-role2 to client2 EC2 machine.
Step 12) From either client, test logging into vault.
Client1 & Client2
vault login -method=aws role=vault-role header_vaule=http://$VAULT_ADDR:8200
If you want to login with separated with roles vault-role1 & vault-role2 then login as follows:
Client1
vault login -method=aws role=vault-role1 header_vaule=http://$VAULT_ADDR:8200
Client2
vault login -method=aws role=vault-role2 header_vaule=http://$VAULT_ADDR:8200