Example: AWS IAM authentication from ECS
1,323 views
Skip to first unread message
Ed Jackson
Sep 29, 2017, 5:06:59 PM9/29/17
to Vault
Hi all,
I recently had the need to authenticate to Vault from a Docker container running in Amazon ECS—I needed jobs in AWS Batch to have access to certain Vault secrets. I really wanted to take advantage of the AWS auth backend, which I was already using in other contexts. (Certainly approle could be used in this situation, but I didn't want to mess with the secret ID). I figured I'd share what I came up with.
The EC2 auth method would work if you wanted to allow any container to authenticate with the same permissions, but I wanted to authenticate at the container level rather than the host level.
Here's the procedure I used with the IAM auth method:
- Assign an ECS task role, and use that as the bound_iam_principal_arn for your Vault role in the aws backend.
- In the ECS container, use the path exposed in the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable to retrieve AWS credentials from 169.254.170.2. (If you're using Python and boto3/botocore, this isn't necessary; it will find them.)
- Use those credentials to construct a signed request to the STS getCallerIdentity function (no need to actually send the request)
- Use the headers from the signed request, along with URL and body, to authenticate to vault as described at https://www.vaultproject.io/api/auth/aws/index.html#login.
Example code in Python: https://gist.github.com/edjackson-wf/32bd43ed5fbffd5de445abcf4d57c421
Details on how to sign AWS requests, if you really have to do it yourself: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
I hope this saves somebody some time, and please chime in here or on the gist if you have suggestions of how to simplify it.
Ed
Jeff Mitchell
Oct 2, 2017, 12:47:18 PM10/2/17
to Vault
Thanks, Ed!
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/6d4363d5-1669-4064-8bf2-ffef71c7aed9%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/6d4363d5-1669-4064-8bf2-ffef71c7aed9%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages