mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-05 12:26:34 +02:00
Code Issues Projects Releases Wiki Activity

Add example policy to AWS secrets engine for AssumeRole that will still be able to rotate itself (#30747)

Browse Source 
* Created branch nphilbrook_aws_engine_sts_assume_role_policy_example from main

* Info on permissions required to rotate root creds

* Replace actual AWS IAM user ARN with example

* Conform to style guide

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* Remove trailing text

* More wordsmithing

---------

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This commit is contained in:
nphilbrook 2025-06-17 15:20:21 -04:00 committed by GitHub
parent 46d38878c0
commit c48039637d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
website/content/docs/secrets/aws.mdx
View File

@ -335,9 +335,9 @@ For more details on rotating root credentials in the AWS Secrets engine, refer t
## IAM permissions policy for Vault
The `aws/config/root` credentials need permission to manage dynamic IAM users.
Here is an example AWS IAM policy that grants the most commonly required
permissions Vault needs:
When using `credential_type=iam_user`, the `aws/config/root` credentials need
permission to manage dynamic IAM users. Here is an example AWS IAM policy that
grants the most commonly required permissions Vault needs:
```json
{
@ -420,6 +420,34 @@ boundary policies that you wish to ensure that Vault uses. This policy will
ensure that Vault uses one of the permissions boundaries specified (not all of
them).
### Policies for STS credentials
AWS root credentials (`aws/config/root`) do not require permission to manage
dynamic IAM users when using STS credentials like `assumed_role`, `session_token`,
or `federation_token`.
To use STS credentials with
[the rotate endpoint](/vault/api-docs/secret/aws#rotate-root-iam-credentials)
to rotate IAM user credentials, you must grant the following permissions on the
IAM user itself:
```json
{
"Statement": [
{
"Action": [
"iam:ListAccessKeys",
"iam:GetUser",
"iam:DeleteAccessKey",
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-iam-user"
}
],
"Version": "2012-10-17"
}
```
## Plugin Workload Identity Federation (WIF)
<EnterpriseAlert product="vault" />