AWS Credential Configuration for Consul with Vault ConnectCA Provider and IAM Authentication

Avatar
Usamah Ali
  • Updated

The information contained in this article has been verified as up-to-date on the date of the original publication of the article.  HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.

All information contained in this article is for general information purposes only.  Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.

Introduction

This article offers solutions for configuring AWS credentials while utilizing the Vault ConnectCA provided with the AWS IAM Auth method, addressing scenarios where credentials rotation is both required or not required.

Expected Outcome

By following the solutions provided in this article, users will understand how to seamlessly configure AWS credentials with Vault ConnectCA provider using the AWS IAM auth method. They will be equipped to handle situations where credential rotation is necessary or where it is not, ensuring smooth and secure access to AWS resources.

Prerequisites

Use Cases

In environments where:

  1. Vault serves as a centralized platform for managing Consul CA certificates
  2. It's essential to rotate AWS credentials for security compliance regularly
  3. Automatic credential rotation is not required or feasible
  4. AWS credentials are tightly controlled
    • This is done by limiting access exclusively to the consul user to mitigate the risk of unauthorized access or exposure

Solutions

Solution 1

  1. Store the credentials file in a secure location where the consul user has read privileges.
    • This method is ideal for scenarios requiring automatic credentials rotation
      # file: /etc/systemd/system/consul.service.d/override.conf
      [Service]
      Environment=AWS_SHARED_CREDENTIALS_FILE=/etc/consul.d/credentials
  2. If credentials aren't directly accessible to the consul user/group, create a hard link or bind-mount to a Consul-readable location
    sudo ln /root/.aws/credentials /etc/consul.d/credentials
    • Set the directory permissions to consul:consul with 0750 to restrict access to the consul user only
Note: The rotation of credentials to a file on the server can be facilitated using tools like AWS System Manager or Ansible but the specifics are beyond the scope of this Knowledge Base article.

 

Solution 2

  1. Configure a Consul Systemd Unit file override with the EnvironmentFile option and set it to /root/.aws/credentials.

    • This approach is suitable when credential rotation is NOT required

      # file: /etc/systemd/system/consul.service.d/override.conf
      [Service]
      EnvironmentFile=/root/.aws/credentials

 

Additional Information

Example of a connect.json file

{
  "Provider": "vault",
  "Config": {
    "Address": "http://18.232.21.207:8200":8200",
    "RootPKIPath": "connect_root",
    "IntermediatePKIPath": "connect_inter",
    "LeafCertTTL": "72h",
    "RotationPeriod": "2160h",
    "IntermediateCertTTL": "8760h",
    "PrivateKeyType": "rsa",
    "PrivateKeyBits": 2048,
    "AuthMethod": {
      "Type": "aws",
      "MountPath": "aws/",
      "Params": {
        "type": "iam",
        "header_value": "http://18.232.21.207:8200",
        "role": "iam"
      }
    }
  },
  "ForceWithoutCrossSigning": false
}

Articles in this section

See more

Related articles