Open in app

Sign in

Write

Sign in

Generating AWS Temporary Roles with HashiCorp Vault: A Step-by-Step Guide

Matías Salinas
3 min readMar 24, 2023

--

Introduction: AWS temporary roles enable you to grant access to AWS resources to users or applications for a limited time period. HashiCorp Vault provides a secure way to manage AWS temporary roles by dynamically generating temporary credentials. This article will walk you through the process of setting up AWS temporary roles with HashiCorp Vault, including how to configure the time-to-live (TTL) for the roles.

Prerequisites: To follow this guide, you will need:

  • An AWS account with administrative privileges.
  • A HashiCorp Vault instance with AWS secrets engine enabled.
  • Basic knowledge of AWS IAM and HashiCorp Vault.

Step 1: Configure AWS IAM Permissions Before creating AWS temporary roles, you must have the necessary permissions in AWS IAM. Create an IAM policy with the following statements:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:CreateAccessKey",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteUser",
        "iam:DeleteUserPolicy",
        "iam:DetachUserPolicy",
        "iam:GetUser",
        "iam:ListAccessKeys",
        "iam:ListAttachedUserPolicies",
        "iam:ListGroupsForUser",
        "iam:ListUserPolicies",
        "iam:PutUserPolicy",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup",
        "iam:CreateRole",
        "iam:UpdateRole",
        "iam:ListRoles",
        "iam:DeleteRole"
      ],
      "Resource": ["arn:aws:iam::<account_id>:role/vault-*"]
    }
  ]
}

This policy grants permissions to manage users, access keys, policies, and roles that start with the prefix “vault-” in the AWS account. Attach this policy to the IAM user used to configure the AWS secrets engine in Vault.

Note: it has more permissions than it should but it is because I will use it in future examples for temporary users, please modify it according to the principles of at least privileges

Step 2: Configure HashiCorp Vault To configure the AWS secrets engine in HashiCorp Vault, start by enabling it with the following command in the Vault CLI:

$ vault secrets enable aws

Then, configure the AWS secrets engine by specifying the AWS access key ID and secret access key of the IAM user or role that has permission to create temporary roles. Use the following command in the Vault CLI:

$ vault write aws/config/root access_key=<AWS_ACCESS_KEY_ID> secret_key=<AWS_SECRET_ACCESS_KEY> region=<AWS_REGION>

Step 3: Create a Role in HashiCorp Vault Create a role in HashiCorp Vault by running the following command in the Vault CLI:

$ vault write aws/roles/my-role \
    credential_type=iam_user \
    policy_document=-<<EOF \
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
EOF

This command creates a role named “my-role” with a policy that grants access to all S3 resources. You can also configure the TTL for the role by adding the ttl and max_ttl parameters to the vault write command. For instance, to create a role with a 30-minute TTL and a maximum TTL of 1 hour, run the following command:

$ vault write aws/roles/my-role \
    credential_type=iam_user \
    policy_document=-<<EOF \
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
EOF
    ttl=30m \
    max_ttl=1h

Step 4: Generate AWS Temporary Credentials Generate temporary AWS credentials by running the following command in the Vault CLI:

$ vault read aws/creds/my-role

This command generates temporary AWS access keys and secret access keys for the “my-role” role, which can be used to access AWS resources for the TTL specified in the role configuration.

In addition to the CLI, you can also read AWS temporary credentials in Vault via API. Here is an example of reading temporary credentials for the “my-role” role using the Vault API:

$ curl \
    --header "X-Vault-Token: <VAULT_TOKEN>" \
    --request GET \
    http://<VAULT_ADDR>/v1/aws/creds/my-role

This will return a JSON object containing the temporary AWS access keys and secret access keys.

Conclusion

we saw how to set up AWS temporary roles with HashiCorp Vault, including how to configure the TTL for the roles. By using Vault to generate temporary credentials, you can provide secure and granular access to AWS resources for a limited time period. This approach reduces the risk of credentials being compromised and provides better control over access to AWS resources. In future posts, we will explore how to integrate HashiCorp Vault with other tools like Kubernetes and Terraform.

Hashicorp
Hashicorp Vault
Cloud Computing
DevOps
Security

--

--

Matías Salinas
Matías Salinas

Written by Matías Salinas

170 Followers
48 Following

SRE | SOA-C02 | CKAD - CKA - CKS | AZ-104 | HCTA0-002 https://www.credly.com/users/matias-salinas/badges

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams