aws sts vs vault assume role capability
523 views
Skip to first unread message
Hound G
Jan 11, 2017, 3:35:03 AM1/11/17
to Vault
I have vault running on an instance with a role arn:aws:iam::XXXXXXX:role/VaultRole below policy attached to the role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/*", "Effect": "Allow" } ] } I have also added arn:aws:iam::XXXXXXX:role/VaultRole as trust policy in arn:aws:iam::YYYYYYYYY:role/TestRole. Through vault I am able to create assume role credentials using the commands, # vault write aws/roles/test-account arn:aws:iam::YYYYYYYYY:role/TestRole # vault read aws/sts/test-accountAWS STS COMMANDThe same I can achieve through the command as well, # aws sts assume-role --duration-seconds 3600 --role-arn arn:aws:iam::YYYYYYYYY:role/TestRole --role-session-name 'hound' Sorry if its a stupid comparison, but I am trying to understand the benefit I will get by using vault. I know we can revoke the creds If iam using vault and also audit log. Other than this what other benefit I get? Thanks, Hound
Vishal Nayak
Jan 11, 2017, 4:39:04 AM1/11/17
to vault...@googlegroups.com
Hi,
To start with, the credentials issued by Vault will be will be leased
and they get automatically revoked, unless renewed.
Also, the Vault path to create the credentials can have tight access
control mechanisms so only desired users can generate the credentials.
Regards,
Vishal
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/7ce0be71-281e-4a47-8dc0-ff4096d9ba11%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
To start with, the credentials issued by Vault will be will be leased
and they get automatically revoked, unless renewed.
Also, the Vault path to create the credentials can have tight access
control mechanisms so only desired users can generate the credentials.
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/7ce0be71-281e-4a47-8dc0-ff4096d9ba11%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
Joel Thompson
Jan 11, 2017, 8:52:03 AM1/11/17
to vault...@googlegroups.com
Hi Hound,
In many ways, these are similar. In my mind, the key difference is this: AWS sts:AssumeRole takes a set of AWS credentials and returns a different set. Vault AssumeRole takes a Vault token and returns a set of AWS credentials.
So, if you have an existing Vault infrastructure, a way of handing out Vault tokens to instances, and especially existing instances that aren't in an IAM instance profile, then it probably makes more sense to just use Vault's AssumeRole capability.
On the other hand, if you have no existing Vault infrastructure and you have EC2 instances that are already in an IAM instance profile which fits your security requirements, it might not make much sense to build up a brand new Vault infrastructure and worry about how to secure it and issue Vault tokens to instances, and to instead just use AWS's native AssumeRole capabilities.
The other important question to ask is: what are the capabilities of the team that would be managing this infrastructure? Do team members know the ins and outs of AWS IAM and how to properly secure it (not an easy task!), and are they consuming CloudTrail logs and know how to consume them? Then it might make sense to use the native sts:AssumeRole. Or do they know Vault well, how to secure Vault, and how to interpret Vault audit logs (MUCH easier, IMHO)? Then it might make more sense to use Vault to control this.
There are a few additional parameters to sts:AssumeRole that Vault doesn't expose, so you could get a little more flexibility by just using that instead of going through Vault, but those could always just be exposed in Vault. I don't see those as important differences for most users, but could be critical for some use cases, such as the ability to set a shorter session duration (AssumeRole lets you optionally choose a session duration of as little as 15 minutes, while Vault is always an hour) or the option to only ask for a subset of the capabilities of the role you're assuming -- just be aware of these differences in case they are important to you.
--Joel
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFy0tpy2D3CHu07pHN6J7YkBYYSkRx5%2BTA4ao-AnK8RwK%3DHT6A%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages