AWS Secrets Engine Key rotation #4385
Comments
|
We don't support that now, however, if you're running on AWS it will pick up normal AWS cred chains (environment, credentials file, IAM-provided). |
|
@jefferai I'm aware that it will, however, I don't want to use environment, creds file or IAM, as all three methods expose the creds in some way. I think passing them to Vault explicitly is the most secure option. I opened this to start a discussion about a new feature, do you think it would make sense? |
|
Sure, but @joelthompson should be a part of the discussion as he's already in the middle of a large overhaul of that engine. To be more specific (a) would make sense but it's not clear if we'd support (b) in any near term. |
|
a+b makes a lot of sense -- Vault's entire purpose is to make ephemeral creds simpler, and the creds on which Vault relies also need to be rotated (particularly since they are so powerful). It is less maintenance overhead if Vault can rotate its own AWS credentials. EC2/ECS roles are preferable but a big selling point of the AWS engine is to grant AWS access to things not running in AWS. |
This allows the AWS Secret Engine to rotate its credentials used to access AWS. This will only work when the AWS Secret Engine has been provided explicit IAM credentials via the config/root endpoint, and further, when the IAM credentials provided are the only access key on the IAM user associated wtih the access key (because AWS allows a maximum of 2 access keys per user). Fixes hashicorp#4385
|
I'm very much in love with this idea :) My refactor of the engine has been merged, and so now I'd love to get this feature supported. I've pushed a work-in-progress CR for this at #5140; everyone's feedback is welcome! |
* Add AWS Secret Engine Root Credential Rotation This allows the AWS Secret Engine to rotate its credentials used to access AWS. This will only work when the AWS Secret Engine has been provided explicit IAM credentials via the config/root endpoint, and further, when the IAM credentials provided are the only access key on the IAM user associated wtih the access key (because AWS allows a maximum of 2 access keys per user). Fixes #4385 * Add test for AWS root credential rotation Also fix a typo in the root credential rotation code * Add docs for AWS root rotation * Add locks around reading and writing config/root And wire the backend up in a bunch of places so the config can get the lock * Respond to PR feedback * Fix casing in error messages * Fix merge errors * Fix locking bugs
Hi,
Right now as part of configuring AWS Secrets Engine I am setting AWS credentials using
access_keyandsecret_key. These AWS credentials essentially are "root" as they allow Vault to provision users under my AWS account.What is your view on adding a feature that would:
a) Rotate the root keys at the time of configuration, so that only Vault knows the keys?
b) Perform a periodic root key rotation?
The text was updated successfully, but these errors were encountered: