How to generate dynamic secrets for multiple AWS IAM users

[Shashi Gokhale]

Hello All,

I am using Vault version 0.11.4 on CentOS. I have configured the AWS secrets engine to generate dynamic credentials using the "assumed_role". I generate the credentials using the commands listed below. The credentials are generated successfully and I am able to successfully use them for AWS operations using CLI.

=== 

vault write aws/config/root access_key=AXXXXXXXXXXXXXXXXXXA secret_key=1pcMXXXXXXXXXXXXXXXXXXXXzu8Oh/wkNYCvUxfX region=us-east-1

vault write aws/roles/deploy role_arns=arn:aws:iam::1xxxxxxxxxx5:role/VaultTestRole credential_type=assumed_role

vault write aws/sts/deploy ttl=15m

=== 

Now, I want to create such dynamic secrets for multiple IAM users. If I execute the above commands with credentials, role_arns of another user, it seems that the credentials, role_arns of first IAM user is being overwritten. I tried to do the operation for second IAM user after login using a new token created by 'vault token create' command. I was wondering whether a new token amounts to a new instance and so there would be separation of secrets between them. However, it emerged that access via both tokens is showing/overwriting the same data.

I searched the documentation, help, etc. but could not figure out a way to make this use case work. Can someone please guide, provide hint on how I could configure Vault to be able to generate dynamic secrets for multiple IAM users concurrently?

Kind regards,

Shashi

[Joel Thompson]

Hi Shashi,

You shouldn't need to change the credentials used for aws/config/root each time.

If you would like to generate credentials for different AWS roles, you have two options:

One option is to use different Vault roles, e.g.,

$ vault write aws/roles/deploy1 credential_type=assumed_role role_arns=arn:aws:iam::123456789012:role/Role1

$ vault write aws/roles/deploy2 credential_type=assumed_role role_arns=arn:aws:iam::123456789012:role/Role2

Then you can read them separately, i.e.:

$ vault write aws/sts/deploy1 ttl=15m

$ vault write aws/sts/deploy2 ttl=15m

(Note that the aws/sts path is being deprecated and exists for backwards compatibility; you can just do vault write aws/creds/deploy1 ttl=15m instead).

The other option is you can use a single Vault role that can assume both roles:

$ vault write aws/roles/deploy credential_type=assumed_role role_arns=arn:aws:iam::123456789012:role/Role1,arn:aws:iam::123456789012:role/Role2

If you do this, when you read from the role, you need to specify the specific role ARN:

$ vault write aws/creds/deploy ttl=15m role_arn=arn:aws:iam::123456789012:role/Role1

$ vault write aws/creds/deploy ttl=15m role_arn=arn:aws:iam::123456789012:role/Role2

The difference between the two approaches is that the first allows you to specify access in different Vault polices, i.e., one policy could allow access only to aws/creds/deploy1 and another policy can allow access only to aws/creds/deploy2. You could achieve the second by using the required_parameters in your policies (https://www.vaultproject.io/docs/concepts/policies.html#required_parameters) to require a value for role_arn in writing to aws/creds/deploy, but IMHO, it's a bit messier. If the same clients should get access to both AWS roles, then it's probably simplest to use a single Vault role.

Hope this helps!

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/769ab45d-dfa9-41ab-965b-eaee088bbf06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Shashi Gokhale]

Hi Joel,

I don't want to generate credentials for different AWS roles. I want them for different IAM non-root users.

You have suggested ways in which we can create different Vault roles for different IAM roles and then create dynamic tokens using assumed roles service. I think this assumes that credential of AWS root account is configured in "vault write aws/config/root access_key=AXXXXXXXXXXXXXXXXXXA secret_key=1pcMXXXXXXXXXXXXXXXXXXXXzu8Oh/wkNYCvUxfX region=us-east-1" command.

I am not comfortable setting the credentials of the "actual" root account of the AWS account in this command: "vault write aws/config/root access_key=... secret_key=... region=us-east-1". I rather want to set the access_key and secret_key of individual IAM users for which I wish to generate dynamic keys. When I execute the command "vault write aws/config/root access_key=... secret_key=..." with different IAM users, the earlier value gets overwritten by the later.

Is there some way to configure single Vault server and the AWS Secrets Engine to generate dynamic tokens for different non-root IAM users? If yes, could you please help?

Kind regards,

Shashi

[Stuart Clark]

If you want multiple users you would need to have a different mount for each one. We don't use a real "root" user, but instead create and use one with the superset of the permissions we want Vault to be able to grant

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Joel Thompson]

This is mostly correct -- you need an IAM user with permissions to create other IAM principals and attach policies (it doesn't need to be a superset of the permissions to be granted; AWS permissions are, for the most part, not inherited like this), and I would very, very strongly advise against configuring the root account's credentials in Vault -- the AWS root account should be for emergency break-the-glass use only!

I do want to clarify one point about the AWS Secrets Engine. Vault doesn't just create access keys for the user configured in aws/config/root. Rather, it uses those credentials to generate unique IAM users per lease and returns the credentials for the generated IAM user, and each generated IAM user is given the permissions specified. So you just need one user configured in aws/config/root and that user needs the permissions to create other IAM users.

--Joel

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7E58C18E-1BA7-4F6A-B84A-66A72BD10427%40Jahingo.com.

[Shashibhushan Gokhale]

Thanks Joel, Stuart.

To create credentials for different users, I tried to set credentials into  aws/config/user1,  aws/config/user2,  aws/config/user3 but looks like Vault considers  aws/config/root (specifically the last part "root") to be some special keyword and so got errors when I tried user1, user2, user3. How to correctly use this?

-Shashi

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/dxy8lzUYUpM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5S3iWSCpMiTqA3CYTJYXD17p8gWRPFLGCiDmB57M48bKA%40mail.gmail.com.

[Stuart Clark]

On 2019-02-28 11:31, Shashibhushan Gokhale wrote:
> Thanks Joel, Stuart.
>
> To create credentials for different users, I tried to set credentials
> into aws/config/user1, aws/config/user2, aws/config/user3 but looks
> like Vault considers aws/config/root (specifically the last part
> "root") to be some special keyword and so got errors when I tried
> user1, user2, user3. How to correctly use this?
>

As mentioned each AWS mount only supports a single "root user", which is
used to create temporary users as needed.

The normal situation is you'd create different roles for each set of
permissions you need to grant.

You can however have multiple instances of the AWS mount, but that
normally would be to allow for different accounts (for example).


Maybe it would help if you give a bit more details of what you are
trying to achieve (what do you want to end up being able to do)?

>> [1].

>> For more options, visit https://groups.google.com/d/optout.
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines
> - https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/7E58C18E-1BA7-4F6A-B84A-66A72BD10427%40Jahingo.com

> [2].

> For more options, visit https://groups.google.com/d/optout.
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines
> - https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "Vault" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/vault-tool/dxy8lzUYUpM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/CAOXnK5S3iWSCpMiTqA3CYTJYXD17p8gWRPFLGCiDmB57M48bKA%40mail.gmail.com

> [3].

> For more options, visit https://groups.google.com/d/optout.
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines
> - https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---

> You received this message because you are subscribed to the Google
> Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/CAH%3DWvCkCCt0iHAMW8X3cuo2nDiw-h3F2VUjSxddg5UxaixY0CA%40mail.gmail.com
> [4].

> For more options, visit https://groups.google.com/d/optout.
>
>

> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/vault-tool/769ab45d-dfa9-41ab-965b-eaee088bbf06%40googlegroups.com?utm_medium=email&utm_source=footer
> [2]
> https://groups.google.com/d/msgid/vault-tool/7E58C18E-1BA7-4F6A-B84A-66A72BD10427%40Jahingo.com?utm_medium=email&utm_source=footer
> [3]
> https://groups.google.com/d/msgid/vault-tool/CAOXnK5S3iWSCpMiTqA3CYTJYXD17p8gWRPFLGCiDmB57M48bKA%40mail.gmail.com?utm_medium=email&utm_source=footer
> [4]
> https://groups.google.com/d/msgid/vault-tool/CAH%3DWvCkCCt0iHAMW8X3cuo2nDiw-h3F2VUjSxddg5UxaixY0CA%40mail.gmail.com?utm_medium=email&utm_source=footer

[Shashibhushan Gokhale]

Hi Stuart,

Following the principle of least privilege, I have reservations for creating and setting credentials of one IAM user that can acquire multiple IAM roles in aws/config/root. Instead, I have three IAM users, with each being capable to acquire only one role. I would like to generate dynamic tokens for the 3 IAM users with the same Vault server.

- Shashi

[Stuart Clark]

On 2019-02-28 13:12, Shashibhushan Gokhale wrote:
> Hi Stuart,
>
> Following the principle of least privilege, I have reservations for
> creating and setting credentials of one IAM user that can acquire
> multiple IAM roles in aws/config/root. Instead, I have three IAM
> users, with each being capable to acquire only one role. I would like
> to generate dynamic tokens for the 3 IAM users with the same Vault
> server.
>

So for that you'd need three AWS mounts.

> https://groups.google.com/d/msgid/vault-tool/CAH%3DWvCm09enC4yDNSxite%2BP2Enfacg1aFCaWnJsCvRKZ3GPCQg%40mail.gmail.com

> [1].
> For more options, visit https://groups.google.com/d/optout.
>
>

> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/vault-tool/CAH%3DWvCm09enC4yDNSxite%2BP2Enfacg1aFCaWnJsCvRKZ3GPCQg%40mail.gmail.com?utm_medium=email&utm_source=footer

[Shashibhushan Gokhale]

Thanks Stuart. We got this working for two different IAM users within the same account using different AWS engine mount per user. The commands to achieve this given below (in hope that it could be helpful reference to a new user attempting to do the same)

With same Vault server being used, steps to create dynamic AWS credentials for multiple IAM users.

Get dynamic AWS credentials for iam-user1
==========================================
vault secrets enable -path=iam-user1 aws

vault write iam-user1/config/root access_key=<<access-key-for-iam-user2-user>> secret_key=<<secret-key-for-iam-user2-user>>

vault write iam-user1/roles/deploy role_arns=arn:aws:iam::<<aws-account-number>>:role/IamUser1Role credential_type=assumed_role

vault write iam-user1/creds/deploy ttl=15m


Get dynamic AWS credentials for iam-user2
==========================================
vault secrets enable -path=iam-user2 aws

vault write iam-user2/config/root access_key=<<access-key-for-iam-user2-user>> secret_key=<<secret-key-for-iam-user2-user>>

vault write iam-user2/roles/deploy role_arns=arn:aws:iam::<<aws-account-number>>:role/IamUser2Role credential_type=assumed_role

vault write iam-user2/creds/deploy ttl=15m

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c41004ea6d53d0dc090157ad517debe5%40Jahingo.com.