From c48039637d21d7b95e9fd153345e25b73cd338d2 Mon Sep 17 00:00:00 2001 From: nphilbrook <42616679+nphilbrook@users.noreply.github.com> Date: Tue, 17 Jun 2025 15:20:21 -0400 Subject: [PATCH] Add example policy to AWS secrets engine for AssumeRole that will still be able to rotate itself (#30747) * Created branch nphilbrook_aws_engine_sts_assume_role_policy_example from main * Info on permissions required to rotate root creds * Replace actual AWS IAM user ARN with example * Conform to style guide Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Remove trailing text * More wordsmithing --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- website/content/docs/secrets/aws.mdx | 34 +++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/website/content/docs/secrets/aws.mdx b/website/content/docs/secrets/aws.mdx index 16d892a7fa..8baa8436cd 100644 --- a/website/content/docs/secrets/aws.mdx +++ b/website/content/docs/secrets/aws.mdx @@ -335,9 +335,9 @@ For more details on rotating root credentials in the AWS Secrets engine, refer t ## IAM permissions policy for Vault -The `aws/config/root` credentials need permission to manage dynamic IAM users. -Here is an example AWS IAM policy that grants the most commonly required -permissions Vault needs: +When using `credential_type=iam_user`, the `aws/config/root` credentials need +permission to manage dynamic IAM users. Here is an example AWS IAM policy that +grants the most commonly required permissions Vault needs: ```json { @@ -420,6 +420,34 @@ boundary policies that you wish to ensure that Vault uses. This policy will ensure that Vault uses one of the permissions boundaries specified (not all of them). +### Policies for STS credentials +AWS root credentials (`aws/config/root`) do not require permission to manage +dynamic IAM users when using STS credentials like `assumed_role`, `session_token`, +or `federation_token`. + +To use STS credentials with +[the rotate endpoint](/vault/api-docs/secret/aws#rotate-root-iam-credentials) +to rotate IAM user credentials, you must grant the following permissions on the +IAM user itself: + +```json +{ + "Statement": [ + { + "Action": [ + "iam:ListAccessKeys", + "iam:GetUser", + "iam:DeleteAccessKey", + "iam:CreateAccessKey" + ], + "Effect": "Allow", + "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-iam-user" + } + ], + "Version": "2012-10-17" +} +``` + ## Plugin Workload Identity Federation (WIF)