Merge pull request #31 from nphilbrook/nphilbrook_vault_backed_aws_improvement

Add policy to allow Vault user to rotate its own creds; other small improvements

Author: nphilbrook

vault-backed/aws/aws.tf

@@ -80,7 +80,11 @@ resource "aws_iam_access_key" "secrets_engine_credentials" {
 }
 
 
-# Provides an IAM policy attached to a user. In this case, allowing the secrets_engine user to assume other roles via STS
+# Provides an IAM policy attached to a user. In this case, allowing the secrets_engine user rotate its own access key
+#
+# https://developer.hashicorp.com/vault/api-docs/secret/aws#rotate-root-iam-credentials
+#
+# Note that if the credentials are rotated, there will be drift in this Terraform configuration
 #
 # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
 resource "aws_iam_user_policy" "vault_secrets_engine_generate_credentials" {
@@ -92,11 +96,14 @@ resource "aws_iam_user_policy" "vault_secrets_engine_generate_credentials" {
     Statement = [
       {
         Action = [
-          "sts:AssumeRole",
+          "iam:GetUser",
+          "iam:CreateAccessKey",
+          "iam:DeleteAccessKey",
+          "iam:ListAccessKeys"
         ]
         Effect   = "Allow"
-        Resource = "${aws_iam_role.tfc_role.arn}"
+        Resource = aws_iam_user.secrets_engine.arn
       },
     ]
   })
-}
+}

vault-backed/aws/vars.tf

@@ -56,4 +56,4 @@ variable "tfc_vault_audience" {
   type        = string
   default     = "vault.workload.identity"
   description = "The audience value to use in run identity tokens"
-}
+}

vault-backed/aws/vault.tf

@@ -10,6 +10,7 @@ provider "vault" {
 #
 # https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend
 resource "vault_jwt_auth_backend" "tfc_jwt" {
+  namespace          = var.vault_namespace
   path               = var.jwt_backend_path
   type               = "jwt"
   oidc_discovery_url = "https://${var.tfc_hostname}"
@@ -43,7 +44,8 @@ resource "vault_jwt_auth_backend_role" "tfc_role" {
 #
 # https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy
 resource "vault_policy" "tfc_policy" {
-  name = "tfc-policy"
+  namespace = var.vault_namespace
+  name      = "tfc-policy"
 
   policy = <<EOT
 # Allow tokens to query themselves
@@ -88,9 +90,10 @@ resource "vault_aws_secret_backend" "aws_secret_backend" {
 #
 # https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_secret_backend_role
 resource "vault_aws_secret_backend_role" "aws_secret_backend_role" {
+  namespace       = var.vault_namespace
   backend         = vault_aws_secret_backend.aws_secret_backend.path
   name            = var.aws_secret_backend_role_name
   credential_type = "assumed_role"
 
   role_arns = [aws_iam_role.tfc_role.arn]
-}
+}