Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS secret engine endpoint to get STS identity #7448

Closed
beornf opened this issue Sep 9, 2019 · 4 comments
Closed

AWS secret engine endpoint to get STS identity #7448

beornf opened this issue Sep 9, 2019 · 4 comments

Comments

@beornf
Copy link

beornf commented Sep 9, 2019
edited
Loading

The AWS secret backend has no way to retrieve the default account ID which is required in the role_arns and policy_arns parameters such as arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume.

For my use case I would like to create an AWS assumed role without IAM credentials on the client as these would be fully managed by Vault IAM roles. This means I can't call GetCallerIdentity which would return the AWS account ID before calling Vault.

A new GET endpoint /aws/config/identity that returns details of the Vault IAM role would be helpful. Alternatively a way to parameterize the role_arns and policy_arns with the Vault assigned AWS account ID would alleviate the need to hard code the account ID.
@joelthompson
Copy link
Contributor

Hey @beornf I'm struggling to understand the use case here. The only time you need the role ARN is when you're a Vault operator, and I would expect Vault operators to know the AWS account IDs of the roles they are providing access to. Further, the role to be assumed doesn't even need to be in the same AWS account as the Vault server's "default" credentials as AWS allows cross-account role assumption.

Can you elaborate a bit more on your use case?

@beornf
Copy link
Author

beornf commented Sep 11, 2019
edited
Loading

The use case is a Vault operator is managing multiple Vault servers in multiple AWS accounts with role credentials. The Vault operator knows the AWS account ID associated with each Vault server I was just thinking it would be nice to inspect this within Vault. Let me know if I'm way off base here @joelthompson.

@joelthompson
Copy link
Contributor

Hey @beornf -- I have a separate PR open (#7245) which would return any explicitly configured access key. You could then use the new-ish sts:GetAccessKeyInfo to find out the account ID that the access key belongs to. And if there is no explicitly configured access key, then you know Vault is getting its credentials from something ambient in the environment (e.g., IAM instance profile, ECS task role, or possibly static creds in ~/.aws/credentials) and you have a higher probability Vault is using something in the same account. Might that accomplish your goal?

@beornf
Copy link
Author

beornf commented Sep 12, 2019

Yes retrieving the configured access key would help with my use case, thanks @joelthompson.

@beornf beornf closed this as completed Sep 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joelthompson @beornf