Skip to content

Add policy to allow Vault user to rotate its own creds; other small improvements #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
May 30, 2025
Merged

Add policy to allow Vault user to rotate its own creds; other small improvements #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7619f4e
Created branch nphilbrook_vault_backed_aws_improvement from main
nphilbrook May 23, 2025
f857642
Add policy for self-rotation, other small fixes
nphilbrook May 23, 2025
1b780fa
Revert this which is inaccurate
nphilbrook May 23, 2025
a1a661b
Revert this comment commit
nphilbrook May 23, 2025
73031c9
Remove extraneous period.
nphilbrook May 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions vault-backed/aws/aws.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,11 @@ resource "aws_iam_access_key" "secrets_engine_credentials" {
}


# Provides an IAM policy attached to a user. In this case, allowing the secrets_engine user to assume other roles via STS
# Provides an IAM policy attached to a user. In this case, allowing the secrets_engine user rotate its own access key
#
# https://developer.hashicorp.com/vault/api-docs/secret/aws#rotate-root-iam-credentials
#
# Note that if the credentials are rotated, there will be drift in this Terraform configuration
#
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
resource "aws_iam_user_policy" "vault_secrets_engine_generate_credentials" {
Expand All @@ -92,11 +96,14 @@ resource "aws_iam_user_policy" "vault_secrets_engine_generate_credentials" {
Statement = [
{
Action = [
"sts:AssumeRole",
"iam:GetUser",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys"
]
Effect = "Allow"
Resource = "${aws_iam_role.tfc_role.arn}"
Resource = aws_iam_user.secrets_engine.arn
},
]
})
}
}
2 changes: 1 addition & 1 deletion vault-backed/aws/vars.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,4 @@ variable "tfc_vault_audience" {
type = string
default = "vault.workload.identity"
description = "The audience value to use in run identity tokens"
}
}
7 changes: 5 additions & 2 deletions vault-backed/aws/vault.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ provider "vault" {
#
# https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend
resource "vault_jwt_auth_backend" "tfc_jwt" {
namespace = var.vault_namespace
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this a lot more than pulling the namespace from the provider 👍 Thanks!

path = var.jwt_backend_path
type = "jwt"
oidc_discovery_url = "https://${var.tfc_hostname}"
Expand Down Expand Up @@ -43,7 +44,8 @@ resource "vault_jwt_auth_backend_role" "tfc_role" {
#
# https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy
resource "vault_policy" "tfc_policy" {
name = "tfc-policy"
namespace = var.vault_namespace
name = "tfc-policy"

policy = <<EOT
# Allow tokens to query themselves
Expand Down Expand Up @@ -88,9 +90,10 @@ resource "vault_aws_secret_backend" "aws_secret_backend" {
#
# https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_secret_backend_role
resource "vault_aws_secret_backend_role" "aws_secret_backend_role" {
namespace = var.vault_namespace
backend = vault_aws_secret_backend.aws_secret_backend.path
name = var.aws_secret_backend_role_name
credential_type = "assumed_role"

role_arns = [aws_iam_role.tfc_role.arn]
}
}