To allow Vault to authenticate IAM principals and EC2 instances in other accounts, Vault supports using AWS STS (Security Token Service) to assume AWS IAM Roles in other accounts. For each target AWS account ID, you configure the IAM Role for Vault to assume using the
auth/aws/config/sts/<account_id>and Vault will use credentials from assuming that role to validate IAM principals and EC2 instances in the target account.
Here are the steps to configure IAM aws cross-account access: Vault IAM cross accounts
We are going to be setting up our AWS environment and a dev instance of Vault server to get the cross-account credentials working.
- Two AWS accounts – primary and secondary
- Admin permissions in each AWS account
- The Vault executable
- The AWS CLI
Step 1: Configure the Remote account
- This is the account where you want Vault to create the STS creds. For you, let's assume 310467297045 Then you need to:
- Create an IAM role that you want Vault to assume to generate creds (we'll call it "Role-to-Assume")
- Make sure that Role-to-Assume is allowed the
iam:GetInstanceProfileactions in its AWS policy.
- Make sure that the AWS account where Vault is running is listed as a trusted entity on the Role-to-Assume. Let's assume the account 123456789101. I’ll call it the “Master Account” in these steps.
Step 2: Configure the Master Account(where Vault is Running)
Make sure that the entity whose credentials are used by Vault is allowed the sts:AssumeRoleaction for the
For example, if Vault has its own user in your Master account, you could adjust that user's IAM policy to include the following (in addition to what's listed for the recommended IAM policy):
"Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::REMOTE_ACCOUNT_ID:role/Role-to-Assume"
Step 3: Configure the AWS auth method
This step include following:
- Configure the sts endpoint with your Remote Account ID and the Role-to-Assume:
vault write auth/aws/config/sts/310467297045 sts_role="arn:aws:iam::310467297045:role/Role-to-Assume”
This is assuming that 310467297045 is the remote account ID where you want Vault to assume the role and create STS creds.
- Write the role that Vault will use to login (as in example with
auth/aws/role/dev-role-iam). Now that you've set up the Role-to-Assume and configured it at the sts endpoint. This is the endpoint where you can associate the login role with a particular set of Vault policies.
Step 4: Test login
To log in, you would reference the role created above (dev-role-iam). You can see an example here (make sure to follow the IAM auth type example):
$vault write auth/aws/config/client iam_server_id_header_value=vault.example.com $vault login -method=aws header_value=vault.example.com role=dev-role-iam