Hashivault - AWS and STS

Hi Everyone - I am experimenting with vault and am new to all of this. My aws account is mfa and we need to use the sts to work with it. How does this get handled with vault ? Im getting confused between using token federations, assuming roles etc… Any guidance would be appreciated

That’s hard to do without rewriting the whole STS documentation. What exactly did you try and how did it fail?

MFA and Assume Roles do not apply here. MFA is for authenticating a user to AWS (username/password) … In this setup you need an AWS IAM user with access/secret keys. AssumeRole also doesn’t apply, that’s for providing a working setup access to a second (or third, or etc… ) AWS account.

Basically, we use AWS but we have mfa on cli and on the web side of things. So for us to work with AWS, we need normally do a: aws sts get-session-token and provide the mfa token. Then we get a new access key, secret access key and security token for the next 12 hours.

I want to see if Hashivault can do all of this for us indeed, So we can just query vault for access - and it provides the latest token information that we can inject into our Ioc or ansible etc

But I can figure it out… there arent a lot of examples with this type of setup

Vault can be in charge of asking STS for credentials and returning them to users, subject to locally defined policy in Vault.

However for this to work, you’re going to need to give Vault some powerful credentials for talking to AWS that don’t require MFA.

Is that an option for you?

Yeah We can do that. I just need to understand What i need to do and what is needed

Please start by reading the docs: https://www.vaultproject.io/docs/secrets/aws and ask for clarifications as needed.

I have read that before. So is the best way to setup a IAM account for vault with no MFA etc… and then let vault create the users and pass the details back to the applications needing access?

I thought perhaps just to do an assumed role and use one of our existing accounts - Basically I want the most secure option

This is the only kind of credential (Access Key ID & Secret Access Key - no session token involved) supported to configure the Vault AWS secrets engine via the Vault API.

Technically I believe you can also leave the AWS secrets engine without credentials, and it’s supposed to then use the AWS Go client library’s default behaviours to try to source credentials from files local to the Vault server, but to me this seems overly complex, and more difficult to manage, especially once you consider the need to ensure credentials are synced across all Vault servers in a HA cluster. Unless, that is, you’re already running your Vault in AWS EC2, and have it set up to automatically provide your Vault instances with suitable credentials.

Once you’ve sorted giving Vault its own identity to manage AWS, you then have to decide which of the three kinds of credential mentioned in the doc (iam_user, assumed_role, federation_token) you’re going to use.

Personally I think the iam_user method rules itself out of viability due to:

Unfortunately, IAM credentials are eventually consistent with respect to other Amazon services. If you are planning on using these credential in a pipeline, you may need to add a delay of 5-10 seconds (or more) after fetching credentials before they can be used successfully.

Pros and cons of assumed_role vs federation_token are also discussed in the previously linked document, and are quite situational to your desired use cases.