New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rotate static AWS IAM credentials #29

Draft

ribbybibby wants to merge 1 commit into master from sys-vault-test

Contributor

ribbybibby commented Mar 11, 2020

This adds a deployment that allows for frequent and automated rotation of the IAM credentials used by the AWS secret backend.

It consists of:

A service that periodically calls /v1/aws/config/rotate-root to rotate the access key
A script which is ran by the user when setting up a new cluster that sets the initial credentials

These are the steps that would need to be taken as part of the bootstrapping:

$ aws iam create-access-key --user-name <username>
  <output containing keys>
$ kubectl --context=<context> -n <namespace> exec -it vault-aws-credentials-rotator-<hash> -- vault-aws-credentials.sh init
  Access Key ID: <insert key>
  Secret Access Key: <insert key>

Upsides to this approach include:

Credentials aren't stored anywhere in git, or known outside of vault at all
Allows us to adhere to AWS best practices around frequent access key rotation

Downsides:

Adds some state to the vault cluster. One of the nicest things about our vault setup is that you can completely destroy the namespace and have everything back and working as intended simply by re-applying the manifests. With this change, you would have to bootstrap AWS manually again.
Adds more complexity to the vault setup in general


          rotate static AWS IAM credentials

b7f7f57

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet