AWS creds access limitation

grgr · April 11, 2023, 6:59pm

Hello,

AWS dynamic secrets works great however, I don’t understand how to write an ACL that limits access to certain roles.
I have 2 AWS roles: s3-role and ec2-role. I would like group A to only be able to generate an AccessKey/Secret with the s3-role only and not be allowed to generate ec2-role creds.
Is this possible? Or do I need to create another AWS Secret?

Thanks

maxb · April 11, 2023, 7:20pm

Since the role name is part of the path, it’s pretty simple?

policy 1:

path "aws/creds/s3-role" {
  capabilities = ["read"]
}

policy 2:

path "aws/creds/ec2-role" {
  capabilities = ["read"]
}

grgr · April 11, 2023, 7:29pm

Yes… I just find it by myself…
I was expecting something like aws/my/path/ and not working with the role path…

Thank yo!

Topic		Replies	Views
Database and aws policies Vault	2	329	March 7, 2022
Generating Dynamic Access Keys across multiple AWS Accounts Vault	3	2167	August 17, 2021
Creating policy with access to specific policies Vault	1	440	February 23, 2021
Allow access to specific key inside the secret Vault	5	1270	July 23, 2021
Cannot get aws dynamic secret due to permission error (IAM user creation) Vault	6	1897	September 30, 2022

AWS creds access limitation

Related topics