AWS Cross account setup of Vault Secret sync using Roles.

Avatar
Kunal Mehtani
  • Updated

Introduction:

This article covers how to configure Secret sync with AWS cross-account access. Please remember that the examples provided below are illustrative. Account IDs and roles should be used according to your environment.

 

Prerequisites:

  •  Two AWS accounts. One is for the Vault hosted on the ec2 instance in this article, and the other is for Secret sync. Here for this article, I created two AWS accounts.


                           Vault AWS account ID reference:- 288xxxx6095
                             Secret Sync AWS Account ID reference:- 730xxxxx588

  •  EC2 running with Vault binary. 

Setup:

  • Created a policy in the Secret sync account. This policy allows read/write on the Secret sync. You can restrict action based on your organization's requirements. Added a Vault AWS account as a trust relationship.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::288xxxx6095:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
  •  Created role in secret sync account and attached the policy.
Role ARN - arn:aws:iam::730xxxxx588:role/test100
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::288802576095:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
  • Create the policy "Cross-Account-AssumeRole-policy" which will be attached to the role (arn:aws:iam::288xxxx6095: role/role-vault-test-100) 
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::730xxxxx588:role/test100"
    }
}
  • In the same Vault account where EC2 is running, attached is the role mentioned in step 4.
  • Login to the Vault and enable the KV engine.
vault secrets enable -path=secret kv-v2
vault kv put secret/cloud/dev api_key="amazon" key_id="aws"
  • To configure the secret sync destination we used only the "role_arn" parameter and passed the role created in the secret sync account.
vault write sys/sync/destinations/aws-sm/cloudy role_arn=arn:aws:iam::730xxxxx588:role/test100 region=us-east-1.


Key                   Value
---                   -----
connection_details    map[region:us-east-1 role_arn:arn:aws:iam::730335400588:role/test100]
name                  cloudy
type                  aws-sm
  • Configure the association:
@-GRH19909DT ~ % vault write sys/sync/destinations/aws-sm/cloudy/associations/set    mount="secret"    secret_name="cloud/dev"


Key                   Value
---                   -----
associated_secrets    map[kv_84dd95cd/cloud/dev:map[accessor:kv_84dd95cd secret_name:cloud/dev sync_status:SYNCED updated_at:2024-05-24T04:23:30.978535458Z]]
store_name            cloudy
store_type            aws-sm

 

Useful Links:

Articles in this section

See more

Related articles