Generating Dynamic Access Keys across multiple AWS Accounts

I am looking to deploy a vault cluster onto EC2 instances backed by DynamoDB on AWS. I would like users to then login and be able to generate access keys and secrets using the AWS dynamic secrets engine but want them to be able to generate keys for multiple different AWS accounts. I am struggling to find any documentation on how to configure vault so that a user can login to Vault which sits in Account A and then generate a key for Account B or Account C. Would I setup multiple secrets engines in different paths, one for each account or is there a much simpler way? Im also unsure how I configure Vaults instance IAM policy to allow for this as I would rather not have to maintain and rotate an IAM user for vault in each account.

Hi @robjcrowston – if you can use the assumed_role credential type, this is actually quite easy! All you’ll need to do is:

  1. In accounts B and C, create IAM roles with a role trust policy that lets the Vault IAM principal assume it, and attach the permissions that you desire for each of those roles.
  2. For the Vault IAM principal, ensure it has permissions to call sts:AssumeRole specifying a resource of the roles in accounts B and C (an example is in the Vault docs linked above).
  3. Set up roles in Vault with the role_arns parameter of the roles that you want your Vault users to use. Here, you need to make a choice depending on your use case:
    1. If you want Vault users to be able to get credentials for either account B or account C at their choice, then you could set up a single Vault role that specifies a role_arns parameter with both of the AWS roles.
    2. If you want one set of users to be able to get credentials for account B and another set to get credentials to account C, you would need to configure two different Vault roles, one specifying the AWS role in account B and the other specifying the AWS role in account C.

Hope this helps!

2 Likes

Much appreciated Joel, thanks!

It’s all working beautifully.