Secure way to access Vault secrets from AWS Beanstalk without using AWS keys

We are looking into using Vault to store our database password and other secrets. Not looking into password rotation right now. The constraint being that I’m not allowed to generate any AWS access keys. We also wish to avoid vault being compromised in case our instances are compromised somehow. Our application is written in Python and hosted on AWS Elastic Beanstalk. Had to avoid using beanstalk environment variables as they are present in plaintext on instances.

I tried implementing the Approle method as follows:

  1. Store role-id in CodeBuild environment and fetch single use a wrapped token.
  2. Write this token to a file which the application code, during startup after deploy, would read and fetch the secrets to initialize the app.
  3. Advantage was that the token even though present on the instance wouldn’t not have worked anymore, but this would fail in case of auto-scaling as beanstalk would deploy the same build on the other instances as well and the token would not have worked there.

Any suggestions?

Thanks a lot.

I think you’d have to consider seeing if there is a way to have your app obtain a valid role id and secret id prior to start up that way each time it auto scales it authenticates again and gets a new token. Perhaps you may be able to find a way to achieve something like that using options here.

Hmm, doesn’t Beanstalk apps have AWS IAM instances profiles as well…? Sorry I haven’t looked but… This would be The Way…