[Feedback wanted] Securely Configure AWS Backend Credentials (Terraform)

Hey everyone

I recently created a new terraform provider that is meant to be used with Vault - and I would be super interested in your feedback!

It’s called vaultsecure and can be found here: Documentation & Source Code

The main reason for its existence is that I never found a good way to securely configure the root credentials of an AWS secret engine using terraform. My typical approach was something like this:

resource "aws_iam_user" "root" {
  name = "vault-root"
}

resource "aws_iam_access_key" "root" {
  user    = aws_iam_user.root.name
}

resource "vault_aws_secret_backend" "aws" {
  access_key = aws_iam_access_key.root.id
  secret_key = aws_iam_access_key.root.secret
}

But this approach has a few downsides, namely:

  • The secret key ends up in the terraform state
  • It is not compatible with the rotate-root feature of Vault

The vaultsecure provider helps solving that by offering a a new vaultsecure_aws_secret_access_key resource that creates a new access key for an IAM user, sets it in the Vault secret engine and then even rotates the secret in Vault, without ever storing sensitive values in the terraform state.

I would be curious to hear your thoughts on that approach! Does it make sense from your perspective? Did I miss something? Any feedback is super appreciated!

Best,
Alex