Rotating AWS Credentials (Root & auth/aws)

I am using two AWS integrations:

  • Secrets engine enabling issuance of AWS credentials to authenticated/permissioned users.
  • EC2 auth method enabling instances to authenticate to vault.

Both require access/secret keys in their configuration albeit with different permissions.

The secret engine has a rotate-root ability which is great although it would be even better if this could be scheduled to occur automatically on a timed basis.

However, am I right in understanding that there is no similar rotate ability for the EC2 auth method? I had a quick hunt on GitHub issues and couldn’t see anything asking for this. Is this not something that would be desirable? Perhaps I have misunderstood something.

I don’t believe you can rotate keys in AWS. You have to generate a new set and revoke the old one. So, no Vault can’t do it either. There is the federated tokens which are rotateabel but AWS has a note that temporary keys cannot be revoked but they can be re-generated … which is probably why Hashicorp doesn’t let you rotate those either without knowing that you can revoked the previous set.

The vault /rotate-root function on the AWS secrets engine operates as expected, ie. by creating a new AWS key for itself, and disabling + deleting the old one. As I said this is excellent because then the only place that the credentials are stored/known is in Vault itself. It is just a shame Vault doesn’t then go and auto-rotate at a set frequency.

However, I was looking for confirmation that there is no similar feature for rotating the separate EC2 auth method AWS credentials so that again Vault would the only place that the secrets are known.

You are right @aram that no atomic AWS function ‘rotate key’ exists and that under the hood Vault would have to create a new key, disable old, delete old.

Good point @fifofonix, I had forgotten that rotate-root did exist in AWS. But no, I have not run across a non-root-access on AWS. There are a multiple places where a rotation option would be very useful but is not available across many different plugins.