How to access HashiCorp Vault Dedicated from an AWS Lambda function and retrieve the session token upon successful login

Avatar
Raghav Anand
  • Updated

Introduction

This guide provides step-by-step instructions on how to access a HashiCorp Vault Dedicated instance from an AWS Lambda function and retrieve the session token upon successful login using the Vault API.

Expected Outcome

By following this guide, you will be able to:

  • Authenticate your AWS Lambda function with HashiCorp Vault Dedicated using AWS IAM credentials.
  • Retrieve a session token from Vault upon successful login.
  • Use the session token to access secrets stored in Vault from within your Lambda function.

Prerequisites

  • HashiCorp Vault Dedicated instance with AWS authentication method enabled.
  • AWS Lambda function with appropriate IAM role configured.
  • Network connectivity between AWS Lambda and HCP Vault Dedicated (e.g., VPC peering or TGW).
  • AWS SDK for Python (boto3) installed in the Lambda function.
  • Vault address, role, and other configuration details set as environment variables in Lambda.

Use Case

This guide is useful for scenarios where you need to securely access secrets stored in HashiCorp Vault from an AWS Lambda function, leveraging AWS IAM for authentication.

Procedure

Step 1: Set up HCP Vault Dedicated with AWS Auth Method enabled:

vault auth enable aws


Step 2: Configure the AWS auth method with the necessary IAM role and policy:

vault write auth/aws/config/client access_key=<AWS_ACCESS_KEY> secret_key=<AWS_SECRET_KEY> region=<AWS_REGION>


Step 3: Create a role in Vault that maps the IAM role of your Lambda function to Vault policies:

vault write auth/aws/role/<role-name> auth_type=iam bound_iam_role_arn=<IAM_ROLE_ARN> policies=<vault-policy> max_ttl=500h


Step 4: Set Up AWS Lambda Function:

Write a Lambda function in Python that uses the AWS SDK (boto3) and requests library to authenticate with Vault and retrieve the session token.

Set Up Environment Variables in AWS Lambda

Set up the following environment variables in your AWS Lambda function:

  • VAULT_ADDR: The URL of your HCP Vault Dedicated instance.
  • VAULT_ROLE: The Vault role for the Lambda function.
  • VAULT_NAMESPACE: (Optional) The namespace within HCP Vault Dedicated.
  • REGION: The AWS region of your Lambda function.

Create a Python Function for Authentication

Use the following Python function to authenticate with HCP Vault Dedicated and retrieve the session token:

import os
import boto3
import botocore.session
import base64
import requests
from botocore.awsrequest import AWSRequest
from botocore.auth import SigV4Auth

def get_iam_identity():
sts_client = boto3.client('sts')
identity = sts_client.get_caller_identity()
return identity

def create_signed_request(url, region, service, body=''):
session = botocore.session.get_session()
credentials = session.get_credentials().get_frozen_credentials()
request = AWSRequest(
method='POST',
url=url,
data=body,
headers={
'Content-Type': 'application/x-www-form-urlencoded'
}
)
SigV4Auth(credentials, service, region).add_auth(request)
return request.url, request.headers, body

def lambda_handler(event, context):
try:
iam_identity = get_iam_identity()
print(f"IAM Identity: {iam_identity}")

vault_url = f"{os.environ.get('VAULT_ADDR')}/v1/auth/aws/login"
vault_region = os.environ.get('REGION')
vault_service = 'sts'
body = 'Action=GetCallerIdentity&Version=2011-06-15'

signed_url, signed_headers, signed_body = create_signed_request(vault_url, vault_region, vault_service, body)
signed_url_base64 = base64.b64encode(signed_url.encode()).decode()
signed_body_base64 = base64.b64encode(signed_body.encode()).decode()

auth_payload = {
'role': os.environ.get('VAULT_ROLE'),
'iam_http_request_method': 'POST',
'iam_request_url': signed_url_base64,
'iam_request_body': signed_body_base64,
'iam_request_headers': {k: v for k, v in signed_headers.items()}
}

headers = {
'Content-Type': 'application/json',
'accept': '*/*',
'X-Vault-Namespace': os.environ.get('VAULT_NAMESPACE', '')
}

response = requests.post(vault_url, json=auth_payload, headers=headers)
print(f"Vault Response: {response.text}")
return response.json()
except Exception as e:
print(f"An error occurred: {e}")
return {
'statusCode': 500,
'body': f"An error occurred: {e}"
}


Step 3: Deploy and Test the Lambda Function

  1. Deploy the Lambda Function:

    • Ensure the Lambda function has the necessary permissions to call the AWS STS service.
    • Deploy the Lambda function with the environment variables set.

  2. Test the Lambda Function:

    • Trigger the Lambda function and check the logs to ensure it successfully authenticates with Vault and retrieves a session token.

Additional Information

By following these steps, you will have a Lambda function that can securely authenticate with HCP Vault Dedicated and retrieve session tokens to access secrets.

Articles in this section

See more

Related articles