AWS creds access limitation

grgr · April 11, 2023, 6:59pm

Hello,

AWS dynamic secrets works great however, I don’t understand how to write an ACL that limits access to certain roles.
I have 2 AWS roles: s3-role and ec2-role. I would like group A to only be able to generate an AccessKey/Secret with the s3-role only and not be allowed to generate ec2-role creds.
Is this possible? Or do I need to create another AWS Secret?

Thanks

maxb · April 11, 2023, 7:20pm

Since the role name is part of the path, it’s pretty simple?

policy 1:

path "aws/creds/s3-role" {
  capabilities = ["read"]
}

policy 2:

path "aws/creds/ec2-role" {
  capabilities = ["read"]
}

grgr · April 11, 2023, 7:29pm

Yes… I just find it by myself…
I was expecting something like aws/my/path/ and not working with the role path…

Thank yo!