Skip to content
/ vault-aws-auth-examples Public

This repository contains various examples of AWS workloads leveraging HashiCorp Vault via the AWS Auth method.

License

MPL-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

michaelkosir/vault-aws-auth-examples

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
img
img
 
 
tf
tf
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

HashiCorp Vault AWS Auth Examples

Overview

This repository contains various examples of AWS workloads leveraging HashiCorp Vault via the AWS Auth method.

  • Lambda (Vault AWS Lambda Extension)
  • Lambda (SDK/Library)
  • EC2

Multi Account

To allow Vault to authenticate IAM principals and EC2 instances in other accounts, Vault assumes AWS IAM Roles in other accounts. For each target AWS account ID, you configure the IAM Role for Vault to assume using the auth/aws/config/sts/<account_id> and Vault will use credentials from assuming that role to validate IAM principals and EC2 instances in the target account.

Usage

Infrastructure Setup

git clone ...
cd ./vault-aws-auth-examples/tf
terraform apply

AWS Auth Setup

export VAULT_ADDR=$(terraform output -raw vault_addr)
export VAULT_TOKEN=$(terraform output -raw vault_token)

vault status

vault auth list

vault secrets list

vault secrets enable -version=2 kv

vault kv put kv/demo/engineering/app01 \
  hello=world \
  foo=bar \
  uuid=$(uuidgen) \
  random=$RANDOM

vault kv put kv/demo/engineering/app02 \
  username=$(uuidgen) \
  password=$(base64 < /dev/urandom | head -c 64)

vault secrets enable transit

vault write transit/keys/app02 type=rsa-4096

vault auth enable aws

vault write -f auth/aws/config/client

vault policy write app01 - <<EOF
path "kv/data/demo/engineering/app01" {
  capabilities = ["read"]
}
EOF

vault policy write app02 - <<EOF
path "kv/data/demo/engineering/app02" {
  capabilities = ["read"]
}
path "transit/encrypt/app02" {
  capabilities = ["update"]
}
EOF

# Lambda max timeout is 900 seconds (15 minutes).
vault write auth/aws/role/demo-lambda \
  auth_type="iam" \
  bound_iam_principal_arn="arn:aws:iam::$AWS_ACCOUNT_ID:role/demo-lambda-aws-auth" \
  token_ttl="1000s" \
  token_max_ttl="1000s" \
  token_policies="app01"

# ec2, renew daily, reauth monthly
vault write auth/aws/role/demo-ec2 \
  auth_type="iam" \
  bound_iam_principal_arn="arn:aws:iam::$AWS_ACCOUNT_ID:role/demo-ec2-aws-auth" \
  token_ttl="24h" \
  token_max_ttl="30d" \
  token_policies="app02"

AWS Lambda

# manual
aws lambda invoke --function-name demo-lambda-manual-aws-auth /dev/stdout | jq

# extension
aws lambda invoke --function-name demo-lambda-extension-aws-auth /dev/stdout | jq

AWS EC2

aws ssm start-session --target $(terraform output -raw demo_ec2_id)
sudo cloud-init status --wait

sudo systemctl start vault-agent && sudo journalctl -u vault-agent
sudo ls -al /run/vault
sudo cat /run/vault/secret

sudo systemctl start vault-proxy && sudo journalctl -u vault-proxy
export VAULT_ADDR=http://localhost:8100
vault write transit/encrypt/app02 plaintext=$(echo "secret message" | base64 -w0)

exit

About

This repository contains various examples of AWS workloads leveraging HashiCorp Vault via the AWS Auth method.

Resources

Readme

License

MPL-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages