From 7cba6f84de8e1efc03b48e8edd8b25d068341710 Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Wed, 27 May 2015 16:28:24 +0200 Subject: [PATCH 1/2] List IAM permissions required by root credentials --- website/source/docs/secrets/aws/index.html.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md index bf233cff65..7b65a37cde 100644 --- a/website/source/docs/secrets/aws/index.html.md +++ b/website/source/docs/secrets/aws/index.html.md @@ -98,6 +98,35 @@ access_key AKIAJZ5YRPHFH3QHRRRQ secret_key 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 ``` +If you get an error message similar to the following, the root credentials that you wrote to `aws/config/root` have insufficient privilege: + +```text +* Error creating IAM user: User: arn:aws:iam::000000000000:user/hashicorp is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::000000000000:user/vault-root-1432735386-4059 +``` + +The root credentials need `iam:CreateUser`, `iam:PutUserPolicy` and `iam:CreateAccessKey` permissions in IAM. These are the actions that the AWS secret backend uses to manage IAM credentials. Here is an example IAM policy that would grant these permissions: + +```javascript +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateAccessKey", + "iam:CreateUser", + "iam:PutUserPolicy" + ], + "Resource": [ + "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*" + ] + } + ] +} +``` + +Note that this policy example is unrelated to the policy you wrote to `aws/roles/deploy`. This policy example should be applied to the IAM user (or role) associated with the root credentials that you wrote to `aws/config/root`. You have to apply it yourself in IAM. The policy you wrote to `aws/roles/deploy` is the policy you want the AWS secret backend to apply to the temporary credentials it returns from `aws/creds/deploy`. + If you get stuck at any time, simply run `vault help aws` or with a subpath for interactive help output. From 5a28f0bcbdab305dee2c9e622215b28948aa4f8e Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Wed, 27 May 2015 16:42:12 +0200 Subject: [PATCH 2/2] Missed a few IAM permissions --- website/source/docs/secrets/aws/index.html.md | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md index 7b65a37cde..1ab2b614eb 100644 --- a/website/source/docs/secrets/aws/index.html.md +++ b/website/source/docs/secrets/aws/index.html.md @@ -98,13 +98,22 @@ access_key AKIAJZ5YRPHFH3QHRRRQ secret_key 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 ``` -If you get an error message similar to the following, the root credentials that you wrote to `aws/config/root` have insufficient privilege: +If you get an error message similar to either of the following, the root credentials that you wrote to `aws/config/root` have insufficient privilege: ```text +$ vault read aws/creds/deploy * Error creating IAM user: User: arn:aws:iam::000000000000:user/hashicorp is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::000000000000:user/vault-root-1432735386-4059 + +$ vault revoke aws/creds/deploy/774cfb27-c22d-6e78-0077-254879d1af3c +Revoke error: Error making API request. + +URL: PUT http://127.0.0.1:8200/v1/sys/revoke/aws/creds/deploy/774cfb27-c22d-6e78-0077-254879d1af3c +Code: 400. Errors: + +* invalid request ``` -The root credentials need `iam:CreateUser`, `iam:PutUserPolicy` and `iam:CreateAccessKey` permissions in IAM. These are the actions that the AWS secret backend uses to manage IAM credentials. Here is an example IAM policy that would grant these permissions: +The root credentials need permission to perform various IAM actions. These are the actions that the AWS secret backend uses to manage IAM credentials. Here is an example IAM policy that would grant these permissions: ```javascript { @@ -115,7 +124,14 @@ The root credentials need `iam:CreateUser`, `iam:PutUserPolicy` and `iam:CreateA "Action": [ "iam:CreateAccessKey", "iam:CreateUser", - "iam:PutUserPolicy" + "iam:PutUserPolicy", + "iam:ListGroupsForUser", + "iam:ListUserPolicies", + "iam:ListAccessKeys", + "iam:DeleteAccessKey", + "iam:DeleteUserPolicy", + "iam:RemoveUserFromGroup", + "iam:DeleteUser" ], "Resource": [ "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"