configure multiple root credentials for AWS account in same vault

[Hridyesh Pant]

I need to configure multiple root credentials in same vault , can i do it like something 

./vault write aws/config/root1 access_key=1234  secret_key=***

./vault write aws/config/root2 access_key=4567 secret_key=***

similar i want to set multiple root credentials  , as per the Vault doc below is the command ,but what to check how do i configure multiple root credential?

$ vault write aws/config/root \
    access_key=AKIAJWVN5Z4FOFT7NLNA \
    secret_key=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 \
    region=us-east-1

--Thanks

Hridyesh

[Vishal Nayak]

Hi Hridyesh,

You can certainly use multiple root credentials in the same Vault.

However, you cannot do it in one single mount of the aws backend.

Mount any number of 'aws' backends on different paths and configure each mount with different root credentials.

See $vault mount -h and use the -path option for mounting.

Hope this helps!

Regards,

Vishal

[Hridyesh Pant]

Wow . Thanks a lot Vishal.

[Hridyesh Pant]

Hi Vishal,

i have already run./vault mount aws  for my test environment and set the root key, working fine 

Now i  doing for setting  prod root credential,so i ran below coammd

./vault mount -path prod  aws

Successfully mounted 'aws' at 'prod'!

but when i ran ./vault write aws/config/prod access_key=*** secret_key=** , i am getting below error 

Error writing data to aws/config/prod: Error making API request.

URL: PUT http://10.2.12.112:8200/v1/aws/config/prod

Code: 500. Errors:

* unsupported path

I am not getting very clear idea from Documentation part . Could you please suggest me , what i am missing here?

--Thanks

Hridyesh

[Vishal Nayak]

Hi Hridyesh,

You should use the new mount path name 'prod' in the API replacing 'aws'.

Try this:

$ vault write prod/config/root access_key=xxx secret_key=yyy

Regards,

Vishal

[Hridyesh Pant]

i tried that as well

/vault write prod/aws/config/root access_key=xxx secret_key=yyy

Error writing data to prod/aws/config/root: Error making API request.

URL: PUT http://10.2.12.112:8200/v1/prod/aws/config/root

Code: 500. Errors:

* unsupported path

where below command passed and say mounted successfully.

./vault mount -path prod  aws

Successfully mounted 'aws' at 'prod'!

--Thanks

Hridyesh

[Hridyesh Pant]

ignore my previous message .

Thanks again it's working 

[Hridyesh Pant]

Hi Vishal,

To get dynamic credential,l i need to pass token value. for now i  generated it by ./vault token-create command and able to get credential.

curl -H "X-Vault-Token: 06d4c33c-3d03-d033-b2ca-7ec023f1f9f7" -X GET  http://10.2.12.192:8200/v1/aws/roles/hpant_s3

but isn;t TOKEN_VALUE has root level permission and can perform all type of operation like creating all type IAM role with policy.

./vault token-create

Key             Value

token           06d4c33c-3d03-d033-b2ca-7ec023f1f9f7

token_duration 0

token_renewable false

token_policies [root]

do i need to create second level of token and share to user?

which token value i need to share to user so that he can use in X-Vault-Token: header?

--Thanks

Hridyesh

[Vishal Nayak]

Hi Hridyesh,

Yes, the token generated using $vault token-create will have root level permissions and can perform all the privileged tasks.

But, token-create command has options. See $vault token-create -h

Vault provides ACL policies for resource authorization management with various options.

https://www.vaultproject.io/docs/concepts/policies.html

You basically have 2 things to leverage on.

1) Restricting AWS policies on roles to do specific tasks.

2) Controlling the access to these roles by creating Vault policies that can only use specific roles, through 'capabilities' of the policies.

You can create tokens against these policies and issue them.

Note that tokens can be independent or hierarchical. You can revoke individual tokens or revoke the entire tree of tokens as needed.

Regards,

Vishal

[Hridyesh Pant]

Hi Vishal.

i am not very clear about "Controlling the access to these roles by creating Vault policies that can only use specific roles, through 'capabilities' of the policies." 

i created s3_bucket role with policy file like below, now i want to create token value which don't have root level permission but can be used for below role (s3_bucket) only . so that I can  give that TOKEN value to users.

./vault write aws/roles/s3_bucket policy=@s3_policy.json

could you please give me an example?

--Thanks

Hridyesh

[Hridyesh Pant]

1. created IAM role and attached policy

./vault write aws/roles/s3_bucket policy=@s3_policy.json

2.  created acl file like below 

cat acl.hcl

path "aws/creds/s3_bucket/*" {

  policy = "read"

}

3./vault policy-write s3_bucket acl.hcl   to create policy with above acl file.

4. ./vault token-create -policy="s3_bucket" to create token only used for s3_bucket role.

5. ./vault auth with the above token value.

but now i am getting error every things , could you pleas help me where i am wrong . I am looking to create token which can be used only for s3_bucket IAM role not root level permission.

./vault token-create

Error creating token: Error making API request.

URL: POST http://10.2.12.112:8200/v1/auth/token/create

Code: 403. Errors:

[Vishal Nayak]

Hi Hridyesh,

You are noticing is an expected behavior.

In step 4, you created a token which can only read aws/creds/s3_bucket and nothing more.

In step 5, when you did a $vault auth using this token. This activates the s3_bucket policy and hence you can only do what you authorized the token to do.

i.e to read aws/creds/s3_bucket.

If you try creating a token instead, it will certainly fail.

When vault gets initialized, it will have root-token printed on the screen.

You should use it to re-authenticate as 'root' before you create more tokens for s3_bucket.

The point is, you can create as many token as needed using step 4. Just don't 'auth' into it in the meanwhile.

[Vishal Nayak]

Hi Hridyesh,

Also, I recommend using 'capabilities' while defining policies on paths.

Read the capabilities section here: https://www.vaultproject.io/docs/concepts/policies.html

Regards,

Vishal

[Gopi]

Hi Vishal,

The only difference what I have in my infrastructure is I am using sts assume role instead of IAM user(/role). 

1. Authenticate as root in vault

2. Create acl.hcl like

path "aws/sts/rolename/*" {

  policy = "read"

}

3. ./vault policy-write sts-policy acl.hcl

4. ./vault token-create policy=sts-policy

5. ./vault auth <new token>

6. export VAULT_TOKEN=<new token>

7. ./vault read aws/sts/rolename

    => This step throws permission denied

But if set the VAULT_TOKEN as root token and retry step 7 then I could see the temporary token. 

Is something missing?

[David Adams]

If you want to read from aws/sts/rolename, you need to specify that path. It's not covered by "aws/sts/rolename/*".

So you probably want:

path "aws/sts/rolename" {

  policy = "read"

}

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ae7ada7c-a036-438c-a136-993ed094819c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Gopi]

That worked. Thank you!!!

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.