AWS dynamic secrets
HCP Vault Secrets can create short-lived AWS credentials on demand.
Prerequisites
- Ability to create AWS IAM identity providers, users, and roles
- Your AWS principal may use the managed IAMFullAccess policy or a custom policy for authorization
- Ability to create HCP Vault Secrets integrations, apps, and secrets
Set up AWS
HCP Vault Secrets is able to authenticate with your AWS account using two different methods. Each method requires AWS resources to provision dynamic credentials:
- OpenID Connect (OIDC) Federation (Recommended)
- IAM OIDC identity provider
- IAM role that HCP can assume through its web identity
- IAM role with the permissions to grant to the generated dynamic credentials
- Access Keys
- IAM user with an access key pair
- IAM role with the permissions to grant to the generated dynamic credentials
Configure your AWS account using either the AWS console or Terraform.
Add identity provider
Navigate to the Add an Identity provider section in the AWS IAM service.
Select the OpenID connect provider type.
Use
https://idp.hashicorp.com/oidc/organization/<org-id>
as the provider URL, replacing the placeholder with your HCP organization ID.Note
You can navigate to the AWS integration creation page on the HCP portal and select AWS STS credentials from the list to easily find the appropriate Provider URL and org ID.
Use
arn:aws:iam::<account-id>:oidc-provider/idp.hashicorp.com/oidc/organization/<org-id>
as the audience, replacing the placeholders with your AWS account ID and HCP organization ID.Click Add provider.
Select the identity provider you just created and note its ARN and Audience for the next steps.
Create IAM role for integration
Navigate to the Create Role section in the AWS IAM service.
Select the Web Identity trust entity type.
Select the Identity provider and Audience created in the previous step from the dropdown and click Next.
This role does not need permissions, click Next.
Give the role a name and optionally a description and tags, then click Create role.
Select the role you just created and note its ARN for the next steps.
Create IAM role for dynamic secret
Navigate again to the Create Role section in the AWS IAM service.
Select the Custom trust policy trust entity type.
Paste the following into the trust policy editor, replacing the highlighted placeholder text with the AWS IAM role ARN created earlier, and click Next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<iam-role-arn-from-step-2.6>" }, "Action": "sts:AssumeRole", "Condition": {} } ]}
Attach or create a new policy with the permissions to grant to the dynamic credentials HCP Vault Secrets will provision.
Give the role a name and optionally a description and tags, then click Create role.
Select the role you just created and note its ARN for the next steps.
Configure dynamic secrets
Navigate to the Vault Secrets app panel and select an app where you want to create a dynamic secret.
Click Create new secret and select Dynamic secret.
Select the AWS option from the pull down menu.
Select an existing integration or select Add new integration.
Select an Authentication method and follow the appropriate steps below.
Provide a unique Integration Name for this integration.
Use the AWS IAM identity provider audience configured during the previous steps. The format is
arn:aws:iam::<account-id>:oidc-provider/idp.hashicorp.com/oidc/organization/<org-id>
.Use the Integration AWS IAM role ARN configured during the previous steps. This role is used by HCP to manage credentials.
Click Add new integration to return to the new secret form.
Note
If you encounter an error, make sure the audience matches between HCP and AWS. Also verify the condition on the trust relationship for the AWS IAM role corresponds to your HCP organization ID, project ID and integration name.
Add new dynamic secret
Provide a unique Secret Name for this secret.
Use the dynamic secret AWS IAM role ARN configured during the previous steps.
Select a Time to Live (TTL) for the generated dynamic credentials between 15 minutes and 12 hours. Note that the upper limit may vary based on your AWS IAM’s role’s maximum session duration, which is typically 1 hour.
Accessing dynamic credentials
A dynamic secret is a template to generate dynamic credentials on demand. Each time a dynamic secret is accessed, a new credentials set is generated and shared exclusively with the requesting client. Dynamic credentials can be generated using:
curl \--location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/${HCP_ORG_ID}/projects/${HCP_PROJ_ID}/apps/${APP_NAME}/secrets/${SECRET_NAME}:open" \--request GET \--header "Authorization: Bearer ${HCP_API_TOKEN}" | jq
hcp vault-secrets secrets open ${SECRET_NAME}
data "hcp_vault_secrets_dynamic_secret" "my_dynamic_secret" { app_name = "my-app" secret_name = "my_dynamic_secret"}