Vault: aws: Use IAM Roles instead of IAM Users?

Created on 21 Mar 2016  路  5Comments  路  Source: hashicorp/vault

I tried following the quick start from https://www.vaultproject.io/docs/secrets/aws/index.html
which lead me to couple of confusions.

Difference between managed policies & inline

Managed (for IAM only)

The following command

vault write aws/roles/s3-ro arn="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"

under the hood calls iam:CreateUser to create user called vault-%s%d-%d

Then the following (to get temporary credentials)

vault read aws/creds/s3-ro

under the hood calls iam:CreateAccessKey which (by AWS' design) is a key that has no expiration attached - i.e. relies completely on Vault in terms of expiration.

Inline (for IAM & STS)

The following command

vault write aws/roles/s3-ro [email protected]

under the hood Vault calls iam:CreateUser to create a user called vault-%s%d-%d and iam:PutUserPolicy to set the given policy as inline policy.

Then the following (to get temporary credentials)

vault read aws/sts/s3-ro

calls sts:GetFederatedToken passing in the given policy and TTL.

Different default lease duration

By default IAM has lease_duration=2592000 (30 days) and STS lease_duration=3600 (1 hour).

Why not use IAM Roles?

Using IAM roles would address most of the confusions and existing problems.

  • IAM Roles can use both managed and inline policies
  • IAM Roles can be _assumed_ with TTL via STS API (=> built-in mechanism for expiration)
  • IAM Roles can be managed outside of Vault (e.g. via Terraform) and even reused elsewhere (e.g. for EC2 instance profiles)
  • There would be less issues with IAM consistency since STS API is always used to get the final credentials

I believe that bringing the implementation closer to AWS conventions by using IAM Roles instead of IAM Users would make more sense.

picture radeksimko

Most helpful comment

Changing, no. Adding, yes! Current functionality is heavily relied-upon, so this would have to be additional functionality rather than changing things out from under other users -- similarly to how STS was added.

picture jefferai on 21 Mar 2016
👍2

All 5 comments

@radeksimko You can use inline policies with Vault: simply put in the ARN in as the arn argument when configuring a role!

jefferai picture jefferai on 21 Mar 2016

@jefferai I know I can do it, in fact I even mentioned this above in the Managed (for IAM only) section.

I'm more wondering why should there be effectively two different ways of getting AWS credentials with different limitations when IAM Roles with sts:AssumeRole() would solve it?

radeksimko picture radeksimko on 21 Mar 2016

@radeksimko Development of the backend has been community-driven, so its current behavior aligns with the needs of those that submitted patches and features.

jefferai picture jefferai on 21 Mar 2016
👍1

Completely understood, so in other words you're open to PRs that would be changing the behaviour to use IAM Roles? :wink:

radeksimko picture radeksimko on 21 Mar 2016

Changing, no. Adding, yes! Current functionality is heavily relied-upon, so this would have to be additional functionality rather than changing things out from under other users -- similarly to how STS was added.

jefferai picture jefferai on 21 Mar 2016
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Wonder007 picture Wonder007  路  3Comments
adamroddick picture adamroddick  路  3Comments
frntn picture frntn  路  3Comments
passwordleak picture passwordleak  路  3Comments
jasonmcintosh picture jasonmcintosh  路  3Comments