Please add the access key age for non-EC2 Vault clusters and/or creation date to AWS Secrets Engine #18165
Labels
Comments
allyunion
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Vault does not know how old the access key is when using the aws secrets engine for an on-premise Vault cluster. It should be noted that if Vault obtains credentials from an IAM instance role profile, I don't know if this is applicable, or that Vault would simply ask STS for new credentials.
Describe the solution you'd like
Although the AWS console has the information about the age of the access key, it would be better to cache this information in vault and either have vault understand that the "root IAM credential" it has needs to be rotated out regularly based on a set policy or allow something like Terraform to be able to read the access key age and issue a rotate-root command. Ultimately, knowing how old the "root IAM credential" is and having it rotate out frequently based on set configuration parameters would be great.
Describe alternatives you've considered
The only way around this is custom code with boto3 and Python hvac.
The text was updated successfully, but these errors were encountered: