Multi-Account Access for AWS Authentication

HashiCorp Cloud Platform (HCP) HCP Vault
1

Hi,

As the title says, I am trying to get multiple AWS accounts authenticated when they log in with their ec2 instance. Unfortunately, I can only get my account-ID to auth into HashiCorp Vault. I am not sure if this is one of the limitations of the HCP since its hosted on the website. The process I have so far (after enabling aws):

vault write auth/aws/config/client \
    access_key="AKIAxxxxx" \
    secret_key="xxxx"

vault write auth/aws/role/${example_role_name} \
  auth_type=iam \
  bound_iam_principal_arn=${AWS_IAM_ROLE_ARN} \
  policies={account-policy} \ #note, {account-policy} = a diff policy for each new user
  max_ttl=1h

vault kv put secret/certs/${AWS_ACCOUNT_ID}/${AWS_IAM_ROLE}/cert1 cert="data" key="key"

So for the AWS policy for the access/secret user role that allowed aws to use my account as a valid account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "iam:GetInstanceProfile",
                "iam:GetUser",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::956xxxxxx:role/<VaultRole>"
            ]
        }
    ]
}

HCL Policies attached to the user, these are hard-coded paths:

# Write and manage secrets in key-value secrets engine
path "secret/data/certs/${AWS_ACCOUNT_ID}/${AWS_ACCOUNT_IAM_ROLE}/*" {
  capabilities = ["read", "list" ]
}

path "secret/metadata/certs/${AWS_ACCOUNT_ID}/${AWS_ACCOUNT_IAM_ROLE}/*" {
  capabilities = [ "list", "read" ]
}

# To enable secrets engines
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

On the client EC2 instance, I used this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "iam:GetInstanceProfile",
                "iam:GetUser",
                "iam:GetRole",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

So all of that only allowed my account to be auth when logged into HashiCorp Vault, but I need to be able to log into any account (i.e. any AWS account and role). Let me know if you need more information, but thanks for the help!

2

Have you seen this?

Configure the necessary AWS IAM services, configure Vault, and then allows Vault to validate workloads (uses EC2 but in theory could be Lambda, etc) running in AWS.

3

Yes, I have looked into it, and I do something similar. Before I go ahead and retry it; does it work for multiple cross-account validation?

For example, if I use my account as the ‘valid’ login, can someone from another aws account log in when i do

vault write auth/aws/role/vault-role-for-aws-ec2role \
     auth_type=iam \
     bound_iam_principal_arn=arn:aws:iam::<otherAWSAccount>:role/aws-ec2role-for-vault-authmethod \
     policies=vault-policy-for-aws-ec2role

Cause that is the main issue I am having; I was able to get my aws account authenticated and able to read the secrets, the issue is registering the other AWS accounts

4

For that scenario, you’ll need to setup Vault with:

5

[SOLVED]

yep, got it working. The issue was that I needed to contact support to enable cross-account auth since the Vault was running on the their aws instance, and get it set up; also I had to add the field for resolve_aws_unique_ids=false to the command ault write auth/aws/role/name and everything worked.

Article for reference:

Shout out to HashiCorp Support for quick and easy help!