luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Docs for AWS backend when using an existing policy

This commit is contained in:
Nicki Watt 2016-01-26 01:39:24 +00:00
parent 3761f19932
commit 35a0d28620
1 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
website/source/docs/secrets/aws/index.html.md
View File

@ -46,8 +46,13 @@ The following parameters are required:
- `region` the AWS region for API calls. - `region` the AWS region for API calls.
The next step is to configure a role. A role is a logical name that maps The next step is to configure a role. A role is a logical name that maps
to a policy used to generated those credentials. For example, lets create to a policy used to generated those credentials.
a "deploy" role: You can either supply a user inline policy (via the policy argument), or
provide a reference to an existing AWS policy by supplying the full ARN
reference (via the arn argument).
For example, lets first create
a "deploy" role using an user inline policy as an example:
```text ```text
$ vault write aws/roles/deploy \ $ vault write aws/roles/deploy \
@ -72,9 +77,21 @@ is an example IAM policy to get started:
} }
``` ```
As a second example, lets create
a "readonly" role as using an existing AWS policy as an example:
```text
$ vault write aws/roles/readonly arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
```
This path will create a named role pointing to an existing IAM policy used
to restrict permissions for it. This is used to dynamically create
a new pair of IAM credentials when needed.
For more information on IAM policies, please see the For more information on IAM policies, please see the
[AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html). [AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html).
To generate a new set of IAM credentials, we simply read from that role: To generate a new set of IAM credentials, we simply read from that role:
```text ```text
@ -292,9 +309,14 @@ as soon as they are generated.
<ul> <ul>
<li> <li>
<span class="param">policy</span> <span class="param">policy</span>
<span class="param-flags">required</span> <span class="param-flags">required (unless arn specified)</span>
The IAM policy in JSON format. The IAM policy in JSON format.
</li> </li>
<li>
<span class="param">arn</span>
<span class="param-flags">required (unless policy specified)</span>
The full ARN reference to the desired existing policy
</li>
</ul> </ul>
</dd> </dd>
@ -333,7 +355,13 @@ as soon as they are generated.
} }
} }
``` ```
```javascript
{
"data": {
"arn": "..."
}
}
```
</dd> </dd>
</dl> </dl>