You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Vault does not know how old the access key is when using the aws secrets engine for an on-premise Vault cluster. It should be noted that if Vault obtains credentials from an IAM instance role profile, I don't know if this is applicable, or that Vault would simply ask STS for new credentials.
Describe the solution you'd like
Although the AWS console has the information about the age of the access key, it would be better to cache this information in vault and either have vault understand that the "root IAM credential" it has needs to be rotated out regularly based on a set policy or allow something like Terraform to be able to read the access key age and issue a rotate-root command. Ultimately, knowing how old the "root IAM credential" is and having it rotate out frequently based on set configuration parameters would be great.
Describe alternatives you've considered
The only way around this is custom code with boto3 and Python hvac.
The text was updated successfully, but these errors were encountered:
allyunion
changed the title
Please add the access key age and/or creation date to AWS Secrets Engine
Please add the access key age for non-EC2 Vault clusters and/or creation date to AWS Secrets Engine
Nov 30, 2022
Is your feature request related to a problem? Please describe.
Vault does not know how old the access key is when using the aws secrets engine for an on-premise Vault cluster. It should be noted that if Vault obtains credentials from an IAM instance role profile, I don't know if this is applicable, or that Vault would simply ask STS for new credentials.
Describe the solution you'd like
Although the AWS console has the information about the age of the access key, it would be better to cache this information in vault and either have vault understand that the "root IAM credential" it has needs to be rotated out regularly based on a set policy or allow something like Terraform to be able to read the access key age and issue a rotate-root command. Ultimately, knowing how old the "root IAM credential" is and having it rotate out frequently based on set configuration parameters would be great.
Describe alternatives you've considered
The only way around this is custom code with boto3 and Python hvac.
The text was updated successfully, but these errors were encountered: