Expected Outcome
Using these examples as reference will allow you to use the AWS secrets engine to generate AWS access credentials dynamically based on IAM policies.
Prerequisites
- The AWS Secrets Engine needs to be configured. See AWS Secrets Engine documentation.
Procedure
The aws/config/root credentials need permission to manage dynamic IAM users. Below you will find example AWS IAM policies that grant commonly required permissions Vault needs.
If Resource is not set to *, the list of resources an action is applicable to must include the user whose keys are provided to the AWS secrets engine.
Notice: Even though the path used in these examples is aws/config/root, do not use your AWS root account credentials. Instead generate a dedicated user or role.
This example policy supports rotating the root credentials for the IAM user root-for-vault whose keys were provided to the aws/config/root path. This policy also includes the optional permission boundary condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:RemoveUserFromGroup"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-root-*",
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/root-for-vault"
]
},
{
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:CreateUser",
"iam:DeleteUserPolicy",
"iam:DetachUserPolicy",
"iam:PutUserPolicy"
],
"Resource": [
"arn:aws:iam::${AWS_ACCOUNT_ID}:user/vault-root-*"
],
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/vault-aws-permission-boundary"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachUserPolicy",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:PutUserPolicy",
"iam:RemoveUserFromGroup"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-root-*",
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/root-for-vault"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:ListAccessKeys"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/root-for-vault"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:RemoveUserFromGroup"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-root-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:CreateUser",
"iam:DeleteUserPolicy",
"iam:DetachUserPolicy",
"iam:PutUserPolicy"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-root-*"
],
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/vault-aws-permission-boundary"
]
}
}
}
]
}