Basic familiarity with setup of Vault and AWS terminology
Configure cross-account access:
This is where Vault uses the creds from one account to create STS credentials, (https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html), in another account by assuming a role in that account.
Step 1: Configure the Remote account
This is the account where you want Vault to create the STS credentials. For you, let's assume 310467297045. Then you need to:
- Create an IAM role that you want Vault to assume to generate credentials (we'll call it "Role-to-Assume")
- Make sure that Role-to-Assume is allowed the
iam:GetInstanceProfileactions in its AWS policy.
- Make sure that the AWS account where Vault is running is listed as a trusted entity on the Role-to-Assume. Let's assume the account 123456789101. I’ll call it the “Master Account” in these steps.
Step 2: Configure the Master Account(where Vault is Running)
Make sure that the entity whose credentials are used by Vault is allowed the
sts:AssumeRoleaction for the Role-to-Assume role.
For example, if Vault has its own user in your Master account, you could adjust that user's IAM policy to include the following (in addition to what's listed for the recommended IAM policy): https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
Step 3: Configure the AWS auth method
On this step include following:
- Configure the sts endpoint, https://www.vaultproject.io/api/auth/aws#create-sts-role, with your Remote Account ID and the Role-to-Assume:
vault write auth/aws/config/sts/310467297045 sts_role="arn:aws:iam::310467297045:role/Role-to-Assume"
This is assuming that 310467297045 is the remote account ID where you want Vault to assume the role and create STS creds.
- Write the role that Vault will use to login (as in example with auth/aws/role/dev-role-iam). Now that you've set up the Role-to-Assume and configured it at the sts endpoint. This is the endpoint where you can associate the login role with a particular set of Vault policies.
Step 4: Test login
To log in, you would reference the role created above (dev-role-iam). You can see an example here (make sure to follow the IAM auth type example):
$vault write auth/aws/config/client iam_server_id_header_value=vault.example.com
$vault login -method=aws header_value=vault.example.com role=dev-role-iam