2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
2017-03-17 18:06:03 +00:00
|
|
|
|
layout: "api"
|
2017-09-20 20:05:00 +00:00
|
|
|
|
page_title: "AWS - Secrets Engines - HTTP API"
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
|
sidebar_title: "AWS"
|
|
|
|
|
sidebar_current: "api-http-secret-aws"
|
2017-03-09 02:47:35 +00:00
|
|
|
|
description: |-
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This is the API documentation for the Vault AWS secrets engine.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
# AWS Secrets Engine (API)
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This is the API documentation for the Vault AWS secrets engine. For general
|
|
|
|
|
information about the usage and operation of the AWS secrets engine, please see
|
|
|
|
|
the [Vault AWS documentation](/docs/secrets/aws/index.html).
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This documentation assumes the AWS secrets engine is enabled at the `/aws` path
|
|
|
|
|
in Vault. Since it is possible to enable secrets engines at any location, please
|
2017-03-09 02:47:35 +00:00
|
|
|
|
update your API calls accordingly.
|
|
|
|
|
|
|
|
|
|
## Configure Root IAM Credentials
|
|
|
|
|
|
|
|
|
|
This endpoint configures the root IAM credentials to communicate with AWS. There
|
|
|
|
|
are multiple ways to pass root IAM credentials to the Vault server, specified
|
|
|
|
|
below with the highest precedence first. If credentials already exist, this will
|
|
|
|
|
overwrite them.
|
|
|
|
|
|
2017-07-31 22:27:16 +00:00
|
|
|
|
The official AWS SDK is used for sourcing credentials from env vars, shared
|
|
|
|
|
files, or IAM/ECS instances.
|
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
|
- Static credentials provided to the API as a payload
|
|
|
|
|
|
|
|
|
|
- Credentials in the `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `AWS_REGION`
|
|
|
|
|
environment variables **on the server**
|
|
|
|
|
|
2017-07-31 22:27:16 +00:00
|
|
|
|
- Shared credentials files
|
|
|
|
|
|
|
|
|
|
- Assigned IAM role or ECS task role credentials
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
At present, this endpoint does not confirm that the provided AWS credentials are
|
|
|
|
|
valid AWS credentials with proper permissions.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/aws/config/root` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2018-02-16 16:13:55 +00:00
|
|
|
|
- `max_retries` `(int: -1)` - Number of max retries the client should use for
|
|
|
|
|
recoverable errors. The default (`-1`) falls back to the AWS SDK's default
|
|
|
|
|
behavior.
|
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
|
- `access_key` `(string: <required>)` – Specifies the AWS access key ID.
|
|
|
|
|
|
|
|
|
|
- `secret_key` `(string: <required>)` – Specifies the AWS secret access key.
|
|
|
|
|
|
2017-07-31 22:27:16 +00:00
|
|
|
|
- `region` `(string: <optional>)` – Specifies the AWS region. If not set it
|
|
|
|
|
will use the `AWS_REGION` env var, `AWS_DEFAULT_REGION` env var, or
|
|
|
|
|
`us-east-1` in that order.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-11-06 18:31:38 +00:00
|
|
|
|
- `iam_endpoint` `(string: <optional>)` – Specifies a custom HTTP IAM endpoint to use.
|
|
|
|
|
|
|
|
|
|
- `sts_endpoint` `(string: <optional>)` – Specifies a custom HTTP STS endpoint to use.
|
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"access_key": "AKIA...",
|
|
|
|
|
"secret_key": "2J+...",
|
|
|
|
|
"region": "us-east-1"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/config/root
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
2018-09-26 14:10:00 +00:00
|
|
|
|
## Rotate Root IAM Credentials
|
|
|
|
|
|
|
|
|
|
When you have configured Vault with static credentials, you can use this
|
|
|
|
|
endpoint to have Vault rotate the access key it used. Note that, due to AWS
|
|
|
|
|
eventual consistency, after calling this endpoint, subsequent calls from Vault
|
|
|
|
|
to AWS may fail for a few seconds until AWS becomes consistent again.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In order to call this endpoint, Vault's AWS access key MUST be the only access
|
|
|
|
|
key on the IAM user; otherwise, generation of a new access key will fail. Once
|
|
|
|
|
this method is called, Vault will now be the only entity that knows the AWS
|
|
|
|
|
secret key is used to access AWS.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/aws/config/rotate-root` |
|
2018-09-26 14:10:00 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
There are no parameters to this operation.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
http://127.0.0.1:8211/v1/aws/config/rotate-root
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"access_key": "AKIA..."
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The new access key Vault uses is returned by this operation.
|
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
|
## Configure Lease
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This endpoint configures lease settings for the AWS secrets engine. It is
|
2017-03-09 02:47:35 +00:00
|
|
|
|
optional, as there are default values for `lease` and `lease_max`.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/aws/config/lease` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `lease` `(string: <required>)` – Specifies the lease value provided as a
|
|
|
|
|
string duration with time suffix. "h" (hour) is the largest suffix.
|
|
|
|
|
|
|
|
|
|
- `lease_max` `(string: <required>)` – Specifies the maximum lease value
|
|
|
|
|
provided as a string duration with time suffix. "h" (hour) is the largest
|
|
|
|
|
suffix.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease": "30m",
|
|
|
|
|
"lease_max": "12h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/config/lease
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Lease
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This endpoint returns the current lease settings for the AWS secrets engine.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/aws/config/lease` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/config/lease
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"lease": "30m0s",
|
|
|
|
|
"lease_max": "12h0m0s"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Role
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates the role with the given `name`. If a role with
|
|
|
|
|
the name does not exist, it will be created. If the role exists, it will be
|
|
|
|
|
updated with the new attributes.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/aws/roles/:name` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
2018-08-16 10:38:13 +00:00
|
|
|
|
- `credential_type` `(string: <required>)` – Specifies the type of credential to be used when
|
|
|
|
|
retrieving credentials from the role. Must be one of `iam_user`,
|
|
|
|
|
`assumed_role`, or `federation_token`.
|
|
|
|
|
|
|
|
|
|
- `role_arns` `(list: [])` – Specifies the ARNs of the AWS roles this Vault role
|
|
|
|
|
is allowed to assume. Required when `credential_type` is `assumed_role` and
|
|
|
|
|
prohibited otherwise. This is a comma-separated string or JSON array.
|
|
|
|
|
|
|
|
|
|
- `policy_arns` `(list: [])` – Specifies the ARNs of the AWS managed policies to
|
2018-10-03 18:25:57 +00:00
|
|
|
|
be attached to IAM users when they are requested. Valid only when
|
2018-08-16 10:38:13 +00:00
|
|
|
|
`credential_type` is `iam_user`. When `credential_type` is `iam_user`, at
|
|
|
|
|
least one of `policy_arns` or `policy_document` must be specified. This is a
|
|
|
|
|
comma-separated string or JSON array.
|
|
|
|
|
|
|
|
|
|
- `policy_document` `(string)` – The IAM policy document for the role. The
|
|
|
|
|
behavior depends on the credential type. With `iam_user`, the policy document
|
|
|
|
|
will be attached to the IAM user generated and augment the permissions the IAM
|
|
|
|
|
user has. With `assumed_role` and `federation_token`, the policy document will
|
|
|
|
|
act as a filter on what the credentials can do.
|
|
|
|
|
|
2018-10-02 14:14:16 +00:00
|
|
|
|
- `default_sts_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not
|
|
|
|
|
specified when STS credentials are requested, and a default TTL is specified
|
|
|
|
|
on the role, then this default TTL will be used. Valid only when
|
|
|
|
|
`credential_type` is one of `assumed_role` or `federation_token`.
|
|
|
|
|
|
2018-10-20 14:36:47 +00:00
|
|
|
|
- `max_sts_ttl` `(string)` - The max allowed TTL for STS credentials (credentials
|
|
|
|
|
TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is one of
|
|
|
|
|
`assumed_role` or `federation_token`.
|
|
|
|
|
|
2019-03-31 13:10:17 +00:00
|
|
|
|
- `user_path` `(string)` - The path for the user name. Valid only when
|
|
|
|
|
`credential_type` is `iam_user`. Default is `/`
|
|
|
|
|
|
2018-08-16 10:38:13 +00:00
|
|
|
|
Legacy parameters:
|
|
|
|
|
|
|
|
|
|
These parameters are supported for backwards compatibility only. They cannot be
|
|
|
|
|
mixed with the parameters listed above.
|
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
|
- `policy` `(string: <required unless arn provided>)` – Specifies the IAM policy
|
|
|
|
|
in JSON format.
|
|
|
|
|
|
|
|
|
|
- `arn` `(string: <required unless policy provided>)` – Specifies the full ARN
|
|
|
|
|
reference to the desired existing policy.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/roles/example-role
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Payloads
|
|
|
|
|
|
|
|
|
|
Using an inline IAM policy:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2018-08-16 10:38:13 +00:00
|
|
|
|
"credential_type": "federation_token",
|
|
|
|
|
"policy_document": "{\"Version\": \"...\"}"
|
2017-03-09 02:47:35 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Using an ARN:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2018-08-16 10:38:13 +00:00
|
|
|
|
"credential_type": "assumed_role",
|
|
|
|
|
"role_arns": "arn:aws:iam::123456789012:role/DeveloperRole"
|
2017-03-09 02:47:35 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Role
|
|
|
|
|
|
|
|
|
|
This endpoint queries an existing role by the given name. If the role does not
|
|
|
|
|
exist, a 404 is returned.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/aws/roles/:name` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2018-08-16 10:38:13 +00:00
|
|
|
|
If invalid role data was supplied to the role from an earlier version of Vault,
|
|
|
|
|
then it will show up in the response as `invalid_data`.
|
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to read. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/roles/example-role
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Responses
|
|
|
|
|
|
|
|
|
|
For an inline IAM policy:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2018-08-16 10:38:13 +00:00
|
|
|
|
"policy_document": "{\"Version\": \"...\"}",
|
|
|
|
|
"policy_arns": [],
|
|
|
|
|
"credential_types": ["assumed_role"],
|
|
|
|
|
"role_arns": [],
|
2017-03-09 02:47:35 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2018-08-16 10:38:13 +00:00
|
|
|
|
For a role ARN:
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2018-08-16 10:38:13 +00:00
|
|
|
|
"policy_document": "",
|
|
|
|
|
"policy_arns": [],
|
|
|
|
|
"credential_types": ["assumed_role"],
|
|
|
|
|
"role_arns": ["arn:aws:iam::123456789012:role/example-role"]
|
2017-03-09 02:47:35 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Roles
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This endpoint lists all existing roles in the secrets engine.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `LIST` | `/aws/roles` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/roles
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": [
|
|
|
|
|
"example-role"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Role
|
|
|
|
|
|
|
|
|
|
This endpoint deletes an existing role by the given name. If the role does not
|
|
|
|
|
exist, a 404 is returned.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `DELETE` | `/aws/roles/:name` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to delete. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/roles/example-role
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
2018-08-16 10:38:13 +00:00
|
|
|
|
## Generate Credentials
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2018-08-16 10:38:13 +00:00
|
|
|
|
This endpoint generates credentials based on the named role. This role must be
|
|
|
|
|
created before queried.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/aws/creds/:name` |
|
|
|
|
|
| `GET` | `/aws/sts/:name` |
|
2018-08-16 10:38:13 +00:00
|
|
|
|
|
|
|
|
|
The `/aws/creds` and `/aws/sts` endpoints are almost identical. The exception is
|
|
|
|
|
when retrieving credentials for a role that was specified with the legacy `arn`
|
|
|
|
|
or `policy` parameter. In this case, credentials retrieved through `/aws/sts`
|
|
|
|
|
must be of either the `assumed_role` or `federation_token` types, and
|
|
|
|
|
credentials retrieved through `/aws/creds` must be of the `iam_user` type.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to generate
|
2017-09-28 11:54:40 +00:00
|
|
|
|
credentials against. This is part of the request URL.
|
2018-08-16 10:38:13 +00:00
|
|
|
|
- `role_arn` `(string)` – The ARN of the role to assume if `credential_type` on
|
|
|
|
|
the Vault role is `assumed_role`. Must match one of the allowed role ARNs in
|
|
|
|
|
the Vault role. Optional if the Vault role only allows a single AWS role ARN;
|
|
|
|
|
required otherwise.
|
|
|
|
|
- `ttl` `(string: "3600s")` – Specifies the TTL for the use of the STS token.
|
|
|
|
|
This is specified as a string with a duration suffix. Valid only when
|
2018-10-02 14:14:16 +00:00
|
|
|
|
`credential_type` is `assumed_role` or `federation_token`. When not specified,
|
|
|
|
|
the `default_sts_ttl` set for the role will be used. If that is also not set, then
|
|
|
|
|
the default value of `3600s` will be used. AWS places limits
|
2018-08-16 10:38:13 +00:00
|
|
|
|
on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds`
|
|
|
|
|
parameter for
|
|
|
|
|
[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
|
|
|
|
|
(for `assumed_role` credential types) and
|
|
|
|
|
[GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
|
|
|
|
|
(for `federation_token` credential types) for more details.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/aws/creds/example-role
|
2017-03-09 02:47:35 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"access_key": "AKIA...",
|
|
|
|
|
"secret_key": "xlCs...",
|
|
|
|
|
"security_token": null
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|