AWS auth method cross account access

volwei · September 23, 2020, 6:30am

Hi. I am using aws auth method to get secrets from vault. That works fine if vault and the ec2 instance requesting the secrets are in the same aws account. The documentation describes the cross account access configuration as following:

For each target AWS account ID, you configure the IAM Role for Vault to assume using the auth/aws/config/sts/<account_id> and Vault will use credentials from assuming that role to validate IAM principals and EC2 instances in the target account.

How can I do that? How can ich configure the access to the other account? How can I see the current configuration?

volwei · September 23, 2020, 2:20pm

I figured it out. You can set a sts role with an api call as described here: https://www.vaultproject.io/api-docs/auth/aws

Example:

curl \
  --header "X-Vault-Token: ..." \
  --request POST \
  --data @payload.json \
  http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333

Sample payload:

{
  "sts_role": "arn:aws:iam:111122223333:role/myRole"
}

Does anybody know if it is possible to set an sts role per cli?

radecki.rafal · June 8, 2021, 2:42pm

Please check https://github.com/hashicorp/vault-guides/blob/master/identity/aws-second-sample/AWS-auth-method-testing.md#example-3-cross-account-access . vault write auth/aws/config/sts/190840704773 sts_role=arn:aws:iam::190840704773:role/VaultAccess command should do the job.