Help creating an aws/auth/role that can be accessed from multiple aws accounts.

[ernest...@twosigmaiq.com]

Hi, 

I am new to Vault. 

$vault write auth/aws/role/dev-role auth_type=iam policies=dev max_ttl=1h 

Error writing data to auth/aws/role/dev-role: Error making API request. 

URL: PUT https://vault.rocks/v1/auth/aws/role/dev-role

Code: 400. Errors: 

* at least be one bound parameter should be specified on the role

Two questions:

1. In the case of auth_type=iam, what are the bound_xxx parameters that make sense to use?

2. If I use "bound_iam_principal_arn" wouldn't this limit this role to be used by only one account? I have a bunch of lambdas in different accounts that would like to auth against this role.  

thanks!

Ernesto

[Jason Martin]

For #2 at least, this bound_iam_principal_arn field accepts only
one value. You'd have to create one role per account, but you
can bind the same policy to all of them.

-Jason Martin

[Joel Thompson]

Hi Ernesto,

For #1, bound_iam_principal_arn is the only bound_* parameter that is accepted unless you turn on inferencing. If you're using Lambdas, then inferencing isn't something you should use.

For #2, what Jason said is true. One workaround would be to have all your Lambdas call AssumeRole to assume the same role AMF then use those to authenticate to Vault, but that might also be more complexity than it's worth for your use case.

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/20171216162828.GA31871%40toger.us.
For more options, visit https://groups.google.com/d/optout.

[ernest...@twosigmaiq.com]

Thank you both! This was really helpful.

[Jonathan Le]

This is a few years later, but this seems to work for me:

  /opt/vault/bin/vault write \

  auth/aws/role/dev-role\

  auth_type=iam \

  policies=example-policy \

  max_ttl=500h \

  bound_iam_principal_arn=arn:aws:iam::383372584635:role/auth-example-role20190626175122610800000005,arn:aws:iam::822220783772:role/AppRoleTestJLE

I kept trying to put a list in bound_iam_principal_arn from the CLI tools, but it just wants a raw string.

I have two IAM roles attached to an EC2 servers in a Target account (where a VaultAccess assume role is setup) and Master account (where the Vault cluster is setup).

I'm able to read and write to the vault cluster using the same "Vault Role + Policy"

Hope I'm doing this right!