How-to Setup AWS Auth Method Cross Account Access

Avatar
Robert Highley
  • Updated

Prerequisites

Basic familiarity with setup of Vault and AWS terminology

Configure cross-account access:

https://www.vaultproject.io/docs/auth/aws.html#cross-account-access

This is where Vault uses the creds from one account to create STS credentials, (https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html), in another account by assuming a role in that account.

 

Procedures

Step 1: Configure the Remote account

This is the account where you want Vault to create the STS credentials. For you, let's assume 310467297045. Then you need to:

  • Create an IAM role that you want Vault to assume to generate credentials (we'll call it "Role-to-Assume")
  • Make sure that Role-to-Assume is allowed the ec2:DescribeInstances and iam:GetInstanceProfile actions in its AWS policy.
  • Make sure that the AWS account where Vault is running is listed as a trusted entity on the Role-to-Assume. Let's assume the account 123456789101. I’ll call it the “Master Account” in these steps.

Step 2: Configure the Master Account(where Vault is Running)

Make sure that the entity whose credentials are used by Vault is allowed the sts:AssumeRoleaction for the Role-to-Assume role.

For example, if Vault has its own user in your Master account, you could adjust that user's IAM policy to include the following (in addition to what's listed for the recommended IAM policy):  https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy

"Effect": "Allow",

"Action": [

"sts:AssumeRole"

],

"Resource": [

"arn:aws:iam::REMOTE_ACCOUNT_ID:role/Role-to-Assume"

Step 3: Configure the AWS auth method

On this step include following:

vault write auth/aws/config/sts/310467297045 sts_role="arn:aws:iam::310467297045:role/Role-to-Assume"

This is assuming that 310467297045 is the remote account ID where you want Vault to assume the role and create STS creds.

  • Write the role that Vault will use to login (as in example with auth/aws/role/dev-role-iam). Now that you've set up the Role-to-Assume and configured it at the sts endpoint. This is the endpoint where you can associate the login role with a particular set of Vault policies.

Step 4: Test login

To log in, you would reference the role created above (dev-role-iam). You can see an example here (make sure to follow the IAM auth type example):

https://www.vaultproject.io/docs/auth/aws#configure-a-required-x-vault-aws-iam-server-id-header-recommended-

$vault write auth/aws/config/client iam_server_id_header_value=vault.example.com

$vault login -method=aws header_value=vault.example.com role=dev-role-iam

Additional Information

Articles in this section

See more

Related articles