Dynamically Generating AWS IAM Users with Vault
Let’s do a bit of an experimentation shall we, let’s create IAM Users automagically.
- To do this, we need a running Vault, preferably local. I have a local one up and running.
Our goal here is to give EC2 instance management permissions to certain developers so we need to generate creds for them. Let’s start like below to create an AWS engine in Vault.
Now that we have our engine, we need to add a role and finish our configuration. The configuration bit is simple, we basically need a new IAM user which will be given to Vault for creating the users. We can assign admin perms for our tests (and also because I don’t know AWS policies that well) but don’t forget to revoke the vaultuser creds after you are done.
- Move to IAM->Users->Add Users
- Add a user with programmatic access (vaultuser)
- Add administrator perms
- Save the access and secret keys
If you are like me, you most likely forgot to save your keys, so you can generate a new set from IAM->Users->vaultuser->Security Credentials->Create Access Key. Don’t forget to delete this key after your tests are done.
We should then place these within the configuration bit like below and our configuration is done.
Our next step is to create a role which will have the permissions we want to lease. One important thing is we can’t just slap on AWS Roles to Vault so we have to assign a policy. In our case, we wanted to give EC2 instance control so searching through the policies we can use EC2FullAccess. If you want to modify the policy further, grab the JSON, if not Policy ARN: arn:aws:iam::aws:policy/AmazonEC2FullAccess will be enough
Move to AWS secret in Vault, click Roles tab and select Create Role in the far right. I filled out as below, you can place the full policy JSON if you want and modify that as well.
Now when we click create, we can generate creds from AWS immediately like below.
Or we can click on the secrets engine aws and choose our role, then click the big blue button that says generate.
Notice the lease duration (in seconds) which is a long time (changeble) and also, check this out. New IAM User appeared in AWS.
We have access key and a secret right. Let’s see if it works.
- Get AWS cli from here and do the PATH things as usual.
- After getting aws responding, type: aws configure. It will ask for your newly generated creds
- Let’s see if it brings the instances at least;
aws ec2 describe-instances
Now we have our aws-vault connection up and running. Let’s nuke one of the leases. To do that, we move to Access tab at the top, select Leases, move down to our new lease and select revoke from the top right.
After your revoke, the dynamic user generated from Vault has disappeared. How awesome is that? Let’s try describe instances again
As awesome as this stuff is Vault has an API and you can just as easily programmatically ask for dynamic creds as above. Hit aws/creds/ec2-manager endpoints and see what happens. aws is our engine path, ec2-manager is the role we configured. To use with curl, we have to include VAULT_TOKEN in the header of our request. VAULT_TOKEN and VAULT_ADDR need to be set as an env var.
I tried to keep it short and to the point unlike my miles long previous posts. Thanks for reading.