Is it possible to inject Vault token to AWS EMR Cluster nodes?

Shunn · June 9, 2020, 10:21am

Hi,

Is it possible to provide Vault token to EC2 instances initiated by EMR cluster?

The flow: Each time EMR create a new EC2 instance - we need automatically setup Vault Agent on it… So, what will be the best way to provide RoleID and SecretID for agent configuration?

Regards,

Rumbles · March 25, 2021, 7:36am

I had to interact with vault using an EMR cluster recently, I didn’t really want to make a custom AMI to put vault on the instances (plus I would have had DNS issues) so I followed this gist:

gist.github.com

https://gist.github.com/joelthompson/378cbe449d541debf771f5a6a171c5ed

README.md

# vault_aws_auth

These are python 2 and 3 snippets showing how to generate headers to authenticate with HashiCorp's Vault using the
[AWS authentication method](https://www.vaultproject.io/docs/auth/aws.html). There's also a Ruby implementation which uses version 3 of the [AWS SDK for Ruby](https://aws.amazon.com/documentation/sdk-for-ruby/).

The python scripts look for credentials in the
[default boto3 locations](https://boto3.readthedocs.io/en/latest/guide/configuration.html#configuring-credentials);
if you need to supply custom credentials (such as from an `AssumeRole` call), you would use the
[botocore.session.set_credentials](https://github.com/boto/botocore/blob/5a5d9b47b62dedd4b6eff77cde90146dc4f54520/botocore/session.py#L417)
method before calling `create_client`.

This file has been truncated. show original

vault_aws_auth.py

#!/usr/bin/env python

import botocore.session
from botocore.awsrequest import create_request_object
import json
import base64

def headers_to_go_style(headers):
    retval = {}
    for k, v in headers.iteritems():

This file has been truncated. show original

vault_aws_auth.rb

#!/usr/bin/env ruby

require 'base64'
require 'json'

# Tested against v3
require 'aws-sdk'

class VaultHandler < Seahorse::Client::NetHttp::Handler
  def call(context)

This file has been truncated. show original

There are more than three files. show original

Using the python2 code (as boto3 wasn’t installed by default on python3), I used this to get a vault token for my EMR instances (from an AWS backed vault role) via a bash script I wrote, I could then use the vault token with curl to interact with vault.

Topic		Replies	Views
Cross account AWS EC2 Authentication Vault	2	219	April 4, 2024
Vault Authentication to AWS for automated snapshots to s3 bucket Vault	2	912	December 9, 2021
Authentication to Vault from local machines' repos Vault	2	204	February 26, 2023
AWS auth method - How to use the vault CLI with IAM role? Vault	1	3857	April 3, 2020
Role in AWS EC2 Authentication Vault	2	191	February 14, 2023

Is it possible to inject Vault token to AWS EMR Cluster nodes?

Related topics