Add a specific reference to AWS IAM Unique Identifiers (#8209)

* Add specification about AWS IAM Unique Identifiers

We experienced an issue where IAM roles resources were re-provisioned with the same ARNs and no change had been made to our vault role configuration but users lost access with `-method=aws`. It wasn't immediately clear to us how IAM Unique Identifiers where being used to avoid the same situations outlined in the AWS documentation. We eventually concluded that re-provisioning the roles in our auth/aws/auth would fetch the new IAM Unique Identifiers. 

I hope that this small amendment helps people avoid this problem in the future.
This commit is contained in:
Dan Lafeir 2020-02-04 18:31:48 -05:00 committed by GitHub
parent fa2544cf5e
commit fe80e136da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions

View File

@ -317,7 +317,7 @@ are needed.
`ec2` auth method. Vault needs to determine which IAM role is attached to the `ec2` auth method. Vault needs to determine which IAM role is attached to the
instance profile. instance profile.
- `iam:GetUser` and `iam:GetRole` are used when using the iam auth method and - `iam:GetUser` and `iam:GetRole` are used when using the iam auth method and
binding to an IAM user or role principal to determine the unique AWS user ID binding to an IAM user or role principal to determine the [AWS IAM Unique Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
or when using a wildcard on the bound ARN to resolve the full ARN of the user or when using a wildcard on the bound ARN to resolve the full ARN of the user
or role. or role.
- The `sts:AssumeRole` stanza is necessary when you are using [Cross Account - The `sts:AssumeRole` stanza is necessary when you are using [Cross Account