From 35a0d28620c0a2c43280aa5d6481fc5d61e2509d Mon Sep 17 00:00:00 2001 From: Nicki Watt Date: Tue, 26 Jan 2016 01:39:24 +0000 Subject: [PATCH 1/2] Docs for AWS backend when using an existing policy --- website/source/docs/secrets/aws/index.html.md | 38 ++++++++++++++++--- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md index 291f546c7..ec610a070 100644 --- a/website/source/docs/secrets/aws/index.html.md +++ b/website/source/docs/secrets/aws/index.html.md @@ -46,8 +46,13 @@ The following parameters are required: - `region` the AWS region for API calls. The next step is to configure a role. A role is a logical name that maps -to a policy used to generated those credentials. For example, lets create -a "deploy" role: +to a policy used to generated those credentials. +You can either supply a user inline policy (via the policy argument), or +provide a reference to an existing AWS policy by supplying the full ARN +reference (via the arn argument). + +For example, lets first create +a "deploy" role using an user inline policy as an example: ```text $ vault write aws/roles/deploy \ @@ -72,9 +77,21 @@ is an example IAM policy to get started: } ``` +As a second example, lets create +a "readonly" role as using an existing AWS policy as an example: + +```text +$ vault write aws/roles/readonly arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess +``` + +This path will create a named role pointing to an existing IAM policy used +to restrict permissions for it. This is used to dynamically create +a new pair of IAM credentials when needed. + For more information on IAM policies, please see the [AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html). + To generate a new set of IAM credentials, we simply read from that role: ```text @@ -292,9 +309,14 @@ as soon as they are generated. @@ -329,11 +351,17 @@ as soon as they are generated. ```javascript { "data": { - "policy": "..." + "policy": "..." + } + } + ``` + ```javascript + { + "data": { + "arn": "..." } } ``` - From c57072d39add1a2fb80931d1c09aafb9f0ed07c8 Mon Sep 17 00:00:00 2001 From: Nicki Watt Date: Tue, 26 Jan 2016 01:43:14 +0000 Subject: [PATCH 2/2] AWS secret backend - docs when using existing policy --- website/source/docs/secrets/aws/index.html.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md index ec610a070..455257725 100644 --- a/website/source/docs/secrets/aws/index.html.md +++ b/website/source/docs/secrets/aws/index.html.md @@ -51,8 +51,7 @@ You can either supply a user inline policy (via the policy argument), or provide a reference to an existing AWS policy by supplying the full ARN reference (via the arn argument). -For example, lets first create -a "deploy" role using an user inline policy as an example: +For example, lets first create a "deploy" role using an user inline policy as an example: ```text $ vault write aws/roles/deploy \ @@ -77,8 +76,7 @@ is an example IAM policy to get started: } ``` -As a second example, lets create -a "readonly" role as using an existing AWS policy as an example: +As a second example, lets create a "readonly" role using an existing AWS policy as an example: ```text $ vault write aws/roles/readonly arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess