New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support AWS role chaining for AWS secret engine #13697
Comments
Since there has been no reply, I assume that the issue description is correct and this is currently not possible. Thus, an additional circumstance / use case:
As-is, Vault can only grant administrative access to the entire organization, or multiple administrative roles in the management account have to be created. I would describe this as a fairly common use case where the current situation produces substantial management overhead. |
I'd also like to see this role chaining ability. Right now it seems that this is only 1-deep, meaning unless you use static user IAM credentials configured on each aws secret engine path, you are forced to use whatever security context (iam profile/creds) the vault instance is using to trust to the roles being assumed by all other aws secret engine configurations. With the ability to configure an aws secret engine with a role to be assumed for that secret engine when assuming the roles under it, then you can have a much more configurable (and later separable, portable) configuration: It really unlocks the value of using vault in flexible ways. |
Is your feature request related to a problem? Please describe.
First of all, Vault is awesome :).
I have been trying to configure Vault AWS secret engine with x-account IAM trust to get credential_type assumed_role. The setup works fine for 1 level of indirection but does not work for 2+ levels.
Here's the setup
Vault runs in AWS account A with IAM role - vault
vault role is allowed to assume vault-secret role in Account B
account B has a role called vault-secret. It has a trust relationship to allow A-vault to assume it. It can also assume any role in account B
account B has several IAM roles. Some of these can be assumed by vault-secret role so that Vault could issue ephemeral creds for these roles.
Describe the solution you'd like
I'd like the above setup to work. When creating the aws secret mount/role, an admin should be able to specify what role Vault should assume in order to get temporary creds for an aws role.
Describe alternatives you've considered
An alternative is to remove the indirection, ie, allow A-vault to assume any role in account B and update the corresponding roles in account B to setup trust relationship with A-vault directly instead of B-vault-secret.
This works but it is operationally very expensive to manage, if there are a few hundred accounts like B with thousands of IAM roles managed by different deployment lifecycles. Creating initial setup is not that hard, the challenge arises when doing operations to alter Vault at a future date, eg: 1 Vault might now split into 2 vaults, each having a different IAM role. This would require changing all IAM roles in B to update the trust relationship.
Having the ability to use chained roles would mean that only 1 IAM role B-vault-secret would need to trust the Vault IAM directly. Any updates to the Vault IAM would not require updating every IAM role across every account.
Explain any additional use-cases
Additional context
Configuring static IAM credentials is not desired.
I am happy to do the work if this is something that can be included in the core offering.
The text was updated successfully, but these errors were encountered: