HashiTalks 2025 - Zero Trust Security using Hashi Vault and AWS IAM

vinod827 · Feb 19, 2025 · 937b63e · 937b63e
1 parent cfaf2d1
commit 937b63e
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 0 deletions.
diff --git a/iac/demo/zerotrust/Dockerfile b/iac/demo/zerotrust/Dockerfile
@@ -0,0 +1,6 @@
+FROM amazon/aws-cli:latest
+
+# Install jq
+RUN yum update -y && \
+    yum install -y jq && \
+    yum clean all
diff --git a/iac/demo/zerotrust/hashitalks.png b/iac/demo/zerotrust/hashitalks.png
diff --git a/iac/demo/zerotrust/vault-acl-policy.hcl b/iac/demo/zerotrust/vault-acl-policy.hcl
@@ -0,0 +1,4 @@
+path "aws/creds/dev-role" {
+    capabilities = ["read"]
+}
+
diff --git a/iac/demo/zerotrust/vault-aws-config.hcl b/iac/demo/zerotrust/vault-aws-config.hcl
@@ -0,0 +1,25 @@
+# Enable AWS secrets engine
+path "sys/mounts/aws" {
+  capabilities = ["create", "update"]
+}
+
+# Configure AWS secrets engine with root credentials
+path "aws/config/root" {
+  capabilities = ["create", "update"]
+  data = {
+    access_key = "<ACCESS_KEY>"
+    secret_key = "<SECRET_ACCESS_KEY>"
+    region     = "us-east-1"
+  }
+}
+
+# Create a Vault AWS role that generates IAM user credentials
+path "aws/roles/dev-role" {
+  capabilities = ["create", "update"]
+  data = {
+    credential_type = "iam_user"
+    policy_arn      = "<IAM Policy ARN>"
+    max_ttl         = "24h"
+    ttl             = "1h"
+  }
+}
diff --git a/iac/demo/zerotrust/vault-s3-uploader.yaml b/iac/demo/zerotrust/vault-s3-uploader.yaml
@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-s3-uploader-config
+  namespace: vault
+data:
+  VAULT_ADDR: "http://vault.vault.svc.cluster.local:8200"
+  VAULT_ROLE: "dev-role"
+  S3_BUCKET: "hashitalks2025-zerotrust"
+  S3_REGION: "us-east-1"
+---  
+apiVersion: v1
+kind: Pod
+metadata:
+  name: vault-s3-uploader
+  namespace: vault
+  labels:
+    app: vault-s3-uploader
+spec:
+  serviceAccountName: vault-sa  # Bind to the service account
+  imagePullSecrets:
+    - name: ecr-secret  # Reference the secret for pulling ECR images
+  containers:
+    - name: s3-uploader
+      image: 730335385934.dkr.ecr.us-east-1.amazonaws.com/hashitalks2025:v1.0.0
+      resources:
+        limits:
+          memory: "128Mi"
+          cpu: "500m"
+        requests:
+          memory: "64Mi"
+          cpu: "250m"
+      env:
+        - name: VAULT_ADDR
+          valueFrom:
+            configMapKeyRef:
+              name: vault-s3-uploader-config
+              key: VAULT_ADDR
+        - name: VAULT_ROLE
+          valueFrom:
+            configMapKeyRef:
+              name: vault-s3-uploader-config
+              key: VAULT_ROLE
+        - name: S3_BUCKET
+          valueFrom:
+            configMapKeyRef:
+              name: vault-s3-uploader-config
+              key: S3_BUCKET
+      command: ["/bin/sh", "-c"]
+      args:
+        - |
+          echo "Retrieving AWS credentials from Vault..."
+          VAULT_PATH="aws/creds/${VAULT_ROLE}"
+
+          # Get JWT token from Kubernetes service account
+          K8S_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+
+          # Authenticate with Vault using Kubernetes auth
+          VAULT_RESPONSE=$(curl -s --request POST --data "{\"jwt\": \"${K8S_TOKEN}\", \"role\": \"${VAULT_ROLE}\"}" ${VAULT_ADDR}/v1/auth/kubernetes/login)
+          VAULT_TOKEN=$(echo "$VAULT_RESPONSE" | jq -r '.auth.client_token')
+
+          # Get temporary AWS credentials (IAM User)
+          CREDS=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_PATH})
+          AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r '.data.access_key')
+          AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r '.data.secret_key')
+
+          if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+            echo "Failed to retrieve AWS credentials from Vault. Exiting..."
+            exit 1
+          fi
+
+          # Export credentials for AWS CLI
+          export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+          echo "AWS credentials retrieved successfully."
+          sleep 4
+
+
+          # Creating a dummy file
+          echo "Hello everyone! Welcome to the HashiTalks 2025" > hashitalks.txt
+          aws s3 cp hashitalks.txt s3://$S3_BUCKET/
+
+          echo "Upload completed!"          
+      volumeMounts:
+        - name: sa-token
+          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          readOnly: true
+  volumes:
+    - name: sa-token
+      projected:
+        sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: 600
+              audience: vault
+  restartPolicy: Never