open-vault/website/source/api/secret/aws/index.html.md

437 lines
12 KiB
Markdown
Raw Normal View History

---
2017-03-17 18:06:03 +00:00
layout: "api"
page_title: "AWS - Secrets Engines - HTTP API"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "AWS"
sidebar_current: "api-http-secret-aws"
description: |-
This is the API documentation for the Vault AWS secrets engine.
---
# AWS Secrets Engine (API)
This is the API documentation for the Vault AWS secrets engine. For general
information about the usage and operation of the AWS secrets engine, please see
the [Vault AWS documentation](/docs/secrets/aws/index.html).
This documentation assumes the AWS secrets engine is enabled at the `/aws` path
in Vault. Since it is possible to enable secrets engines at any location, please
update your API calls accordingly.
## Configure Root IAM Credentials
This endpoint configures the root IAM credentials to communicate with AWS. There
are multiple ways to pass root IAM credentials to the Vault server, specified
below with the highest precedence first. If credentials already exist, this will
overwrite them.
The official AWS SDK is used for sourcing credentials from env vars, shared
files, or IAM/ECS instances.
- Static credentials provided to the API as a payload
- Credentials in the `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `AWS_REGION`
environment variables **on the server**
- Shared credentials files
- Assigned IAM role or ECS task role credentials
At present, this endpoint does not confirm that the provided AWS credentials are
valid AWS credentials with proper permissions.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/aws/config/root` |
### Parameters
- `max_retries` `(int: -1)` - Number of max retries the client should use for
recoverable errors. The default (`-1`) falls back to the AWS SDK's default
behavior.
- `access_key` `(string: <required>)` Specifies the AWS access key ID.
- `secret_key` `(string: <required>)`  Specifies the AWS secret access key.
- `region` `(string: <optional>)`  Specifies the AWS region. If not set it
will use the `AWS_REGION` env var, `AWS_DEFAULT_REGION` env var, or
`us-east-1` in that order.
2017-11-06 18:31:38 +00:00
- `iam_endpoint` `(string: <optional>)`  Specifies a custom HTTP IAM endpoint to use.
- `sts_endpoint` `(string: <optional>)`  Specifies a custom HTTP STS endpoint to use.
### Sample Payload
```json
{
"access_key": "AKIA...",
"secret_key": "2J+...",
"region": "us-east-1"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/config/root
```
## Rotate Root IAM Credentials
When you have configured Vault with static credentials, you can use this
endpoint to have Vault rotate the access key it used. Note that, due to AWS
eventual consistency, after calling this endpoint, subsequent calls from Vault
to AWS may fail for a few seconds until AWS becomes consistent again.
In order to call this endpoint, Vault's AWS access key MUST be the only access
key on the IAM user; otherwise, generation of a new access key will fail. Once
this method is called, Vault will now be the only entity that knows the AWS
secret key is used to access AWS.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/aws/config/rotate-root` |
### Parameters
There are no parameters to this operation.
### Sample Request
```$ curl \
--header "X-Vault-Token: ..." \
--request POST \
http://127.0.0.1:8211/v1/aws/config/rotate-root
```
### Sample Response
```json
{
"data": {
"access_key": "AKIA..."
}
}
```
The new access key Vault uses is returned by this operation.
## Configure Lease
This endpoint configures lease settings for the AWS secrets engine. It is
optional, as there are default values for `lease` and `lease_max`.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/aws/config/lease` |
### Parameters
- `lease` `(string: <required>)` Specifies the lease value provided as a
string duration with time suffix. "h" (hour) is the largest suffix.
- `lease_max` `(string: <required>)`  Specifies the maximum lease value
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
```json
{
"lease": "30m",
"lease_max": "12h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/config/lease
```
## Read Lease
This endpoint returns the current lease settings for the AWS secrets engine.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/aws/config/lease` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/config/lease
```
### Sample Response
```json
{
"data": {
"lease": "30m0s",
"lease_max": "12h0m0s"
}
}
```
## Create/Update Role
This endpoint creates or updates the role with the given `name`. If a role with
the name does not exist, it will be created. If the role exists, it will be
updated with the new attributes.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/aws/roles/:name` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to create. This
is part of the request URL.
- `credential_type` `(string: <required>)` Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of `iam_user`,
`assumed_role`, or `federation_token`.
- `role_arns` `(list: [])` Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when `credential_type` is `assumed_role` and
prohibited otherwise. This is a comma-separated string or JSON array.
- `policy_arns` `(list: [])` Specifies the ARNs of the AWS managed policies to
2018-10-03 18:25:57 +00:00
be attached to IAM users when they are requested. Valid only when
`credential_type` is `iam_user`. When `credential_type` is `iam_user`, at
least one of `policy_arns` or `policy_document` must be specified. This is a
comma-separated string or JSON array.
- `policy_document` `(string)` The IAM policy document for the role. The
behavior depends on the credential type. With `iam_user`, the policy document
will be attached to the IAM user generated and augment the permissions the IAM
user has. With `assumed_role` and `federation_token`, the policy document will
act as a filter on what the credentials can do.
- `default_sts_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not
specified when STS credentials are requested, and a default TTL is specified
on the role, then this default TTL will be used. Valid only when
`credential_type` is one of `assumed_role` or `federation_token`.
- `max_sts_ttl` `(string)` - The max allowed TTL for STS credentials (credentials
TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is one of
`assumed_role` or `federation_token`.
- `user_path` `(string)` - The path for the user name. Valid only when
`credential_type` is `iam_user`. Default is `/`
Legacy parameters:
These parameters are supported for backwards compatibility only. They cannot be
mixed with the parameters listed above.
- `policy` `(string: <required unless arn provided>)` Specifies the IAM policy
in JSON format.
- `arn` `(string: <required unless policy provided>)`  Specifies the full ARN
reference to the desired existing policy.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/roles/example-role
```
### Sample Payloads
Using an inline IAM policy:
```json
{
"credential_type": "federation_token",
"policy_document": "{\"Version\": \"...\"}"
}
```
Using an ARN:
```json
{
"credential_type": "assumed_role",
"role_arns": "arn:aws:iam::123456789012:role/DeveloperRole"
}
```
## Read Role
This endpoint queries an existing role by the given name. If the role does not
exist, a 404 is returned.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/aws/roles/:name` |
If invalid role data was supplied to the role from an earlier version of Vault,
then it will show up in the response as `invalid_data`.
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to read. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/roles/example-role
```
### Sample Responses
For an inline IAM policy:
```json
{
"data": {
"policy_document": "{\"Version\": \"...\"}",
"policy_arns": [],
"credential_types": ["assumed_role"],
"role_arns": [],
}
}
```
For a role ARN:
```json
{
"data": {
"policy_document": "",
"policy_arns": [],
"credential_types": ["assumed_role"],
"role_arns": ["arn:aws:iam::123456789012:role/example-role"]
}
}
```
## List Roles
This endpoint lists all existing roles in the secrets engine.
| Method | Path |
| :--------------------------- | :--------------------- |
| `LIST` | `/aws/roles` |
### Sample Request
```
$ curl
--header "X-Vault-Token: ..." \
--request LIST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/roles
```
### Sample Response
```json
{
"data": {
"keys": [
"example-role"
]
}
}
```
## Delete Role
This endpoint deletes an existing role by the given name. If the role does not
exist, a 404 is returned.
| Method | Path |
| :--------------------------- | :--------------------- |
| `DELETE` | `/aws/roles/:name` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/roles/example-role
```
## Generate Credentials
This endpoint generates credentials based on the named role. This role must be
created before queried.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/aws/creds/:name` |
| `GET` | `/aws/sts/:name` |
The `/aws/creds` and `/aws/sts` endpoints are almost identical. The exception is
when retrieving credentials for a role that was specified with the legacy `arn`
or `policy` parameter. In this case, credentials retrieved through `/aws/sts`
must be of either the `assumed_role` or `federation_token` types, and
credentials retrieved through `/aws/creds` must be of the `iam_user` type.
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to generate
2017-09-28 11:54:40 +00:00
credentials against. This is part of the request URL.
- `role_arn` `(string)` The ARN of the role to assume if `credential_type` on
the Vault role is `assumed_role`. Must match one of the allowed role ARNs in
the Vault role. Optional if the Vault role only allows a single AWS role ARN;
required otherwise.
- `ttl` `(string: "3600s")` Specifies the TTL for the use of the STS token.
This is specified as a string with a duration suffix. Valid only when
`credential_type` is `assumed_role` or `federation_token`. When not specified,
the `default_sts_ttl` set for the role will be used. If that is also not set, then
the default value of `3600s` will be used. AWS places limits
on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds`
parameter for
[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
(for `assumed_role` credential types) and
[GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
(for `federation_token` credential types) for more details.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/aws/creds/example-role
```
### Sample Response
```json
{
"data": {
"access_key": "AKIA...",
"secret_key": "xlCs...",
"security_token": null
}
}
```