Vault: Option to generate AWS IAM Users with Web Console Access

Hi @jay-dee7 , thanks for opening this request.

Can I get some further clarification on your request? Am I right in thinking you'd like to be able to be able to do this call, but using the Vault UI's CLI to do it? Here's a screen shot of the CLI I'm talking about:

Have you attempted this already or are you mainly going off the lack of docs? If not, would you be willing to attempt it?

Thanks!

@tyrannosaurus-becks thanks for the quick follow up, i'm talking about extending the usage that you mentioned. If you see the output, it generates programmatic access credentials (secret access key and access key id), would it be possible to generate a username and password (random obviously) along side these keys, for an optional flag, etc?

@jay-dee7 -- I haven't tried it, but perhaps you could call sts:GetFederationToken with the returned credentials, and then use those credentials with the procedures described here to login to the Console? It's a bit of a hack but might work.

@tyrannosaurus-becks -- I believe what @jay-dee7 is asking for is for Vault to call iam:CreateLoginProfile on the returned credentials with a randomly generated password and then to return that password to the end users.

@joelthompson this looks like something that can totally work but i would really love to have some native functionality from vault. CreateLoginProfile is exactly what i'm talking about. This seems to be something pretty easy and i would love to submit a PR if it doesn't have any complications @tyrannosaurus-becks

Another option is to give the IAM users permission to set their own passwords, which they can do via the CLI and then use those passwords to login.

Anyway, I agree it should be pretty easy. I guess the main questions are:

1. Should the username and password be returned for every iam_user credential or only some of them? I would think probably not, I know some folks are sensitive to credentials being used in only the console or NOT via the console, so I would think the answer should be no.
2. If not, how do we specify which Vault roles should return a username/password, which should return just API creds, and which should be both? I could see either a new credential_type, say, console_user, which returns only the username and password, or maybe some other flag, say, credential_formats that could be something like api_keys (for all existing credential types) and username_password (valid only for iam_user credential type).

i totally agree with you @joelthompson i think it should be optional to create aws iam console credentials which can be toggled via some flag/json field. I see this might have some security concerns but i think it could be a good addition.

I as well agree. I tried to make this happen in pure vault and was surprised, that this was not included. I think it could be reasonably simple to implement?

@tyrannosaurus-becks @joelthompson should i try my luck here and try to open a PR for this? I see the label is set to enhancement so can I give it a shot?

Hi @jay-dee7 - I actually have moved on from HashiCorp! 😄 I think, though, that @kalafut might be a good person to ask.

hey @kalafut do you think it would be okay for me to work on this and raise a PR? or would we need to discuss this further and see if it doesn't aligns with vault's future direction?