luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add a specific reference to AWS IAM Unique Identifiers (#8209) 

* Add specification about AWS IAM Unique Identifiers

We experienced an issue where IAM roles resources were re-provisioned with the same ARNs and no change had been made to our vault role configuration but users lost access with `-method=aws`. It wasn't immediately clear to us how IAM Unique Identifiers where being used to avoid the same situations outlined in the AWS documentation. We eventually concluded that re-provisioning the roles in our auth/aws/auth would fetch the new IAM Unique Identifiers. 

I hope that this small amendment helps people avoid this problem in the future.
This commit is contained in:
Dan Lafeir 2020-02-04 18:31:48 -05:00 committed by GitHub
parent fa2544cf5e
commit fe80e136da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
website/pages/docs/auth/aws.mdx
View File

@ -317,7 +317,7 @@ are needed.
`ec2` auth method. Vault needs to determine which IAM role is attached to the
instance profile.
- `iam:GetUser` and `iam:GetRole` are used when using the iam auth method and
binding to an IAM user or role principal to determine the unique AWS user ID
binding to an IAM user or role principal to determine the [AWS IAM Unique Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
or when using a wildcard on the bound ARN to resolve the full ARN of the user
or role.
- The `sts:AssumeRole` stanza is necessary when you are using [Cross Account