AWS secrets in packer HCL template with vault function


TL;DR - can one use the vault function in Packer HCL2 templates to generate AWS credentials?

Here’s the setup:

Packer Version 1.7.4. I have a Vault instance with an AWS secrets endpoint connected to an AWS account. I have written a Packer template to push images and AMIs to that account.

Can I use the vault function to read (generate) AWS credentials for later use in the template?

More detail:

I have a section in the template to set some local vars, including vault secrets. For KV/2, this is well-documented, e.g.:

locals {
  secret= vault("kv/data/secrets", "secret")

Easy enough to grep : fetch the secret from secrets.

Now, I have an AWS secrets path mounted in aws/account and I want to generate credentials with role. How do I call the vault function to get that?

I get that the vault function needs a “field” as second argument, but that seems like I will have to call it twice, to get the access key and then secret key… but this will generate two different leases. Requesting the data field seemed to generate an infinite loop when I tried to validate the packer template.

I tried:

  • aws = vault("/aws/account/creds/role") (gave packer validation error)
  • aws = vault("/aws/account/creds/role", "") and aws = vault("/aws/account/creds/role", "data") (endless loop generating several credentials, had to force kill packer)

My intuition was that I would be returned an aws map by Vault, which I could then use to push images:

post-processor "docker-tag" {
      ecr_login = true
      aws_access_key =
      aws_secret_key =

Is what I am trying even possible, and if so, what am I doing wrong?


This isn’t possible yet, but we do want to add it in the future.

1 Like

:wave: hey there! It’s me, from the future! I saw a message from past me in the packer template I’m working on to come and check on this topic. Are we able to use the Vault function in packer templates to request AWS credentials yet?