open-vault/website/content/docs/agent/autoauth/methods/aws.mdx
DJCrabhat 810282d469
Add nonce configuration parameter to agent AWS auto-auth documentation (#10926)
* Update aws.mdx

Was looking how to give the vault agent with AWS auth-auth the same nonce, but saw it wasn't documented.  Dove through the code, found https://github.com/hashicorp/vault/blob/master/command/agent/auth/aws/aws.go#L139 and https://github.com/hashicorp/vault/blob/master/command/agent/auth/aws/aws.go#L215 

(tried to call out the importance and point to docs, know setting `nonce` poorly could be very bad!)

* add line breaks

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2021-10-13 10:45:34 -04:00

68 lines
3 KiB
Plaintext

---
layout: docs
page_title: Vault Agent Auto-Auth AWS Method
description: AWS Method for Vault Agent Auto-Auth
---
# Vault Agent Auto-Auth AWS Method
The `aws` method performs authentication against the [AWS Auth
method](/docs/auth/aws). Both `ec2` and `iam`
authentication types are supported. If `ec2` is used, the agent will store the
reauthentication value in memory and use it for reauthenticating, but will not
persist it to disk.
Due to the complexity of the Trust On First Use (TOFU) model used in the `ec2`
method, we recommend the `iam` method when possible.
## Credentials
Vault will use the AWS SDK's normal credential chain behavior, which means it
will use the first valid credentials it finds in the following order:
1. A static credential configuration
2. Environment variables
3. A file containing credentials
4. From any identity services available in its physical environment like container environment variables or role-based instance metadata
Wherever possible, we recommend using identity services (method 4) for credentials.
These rotate regularly and require no effort on your part to provision, making
identity services the most secure of the four methods. If using identity services _and_ a custom
`credential_poll_interval`, be sure the frequency is set low enough to pick up new credentials
from the physical environment as they become available.
To use identity services, choose the `iam` type and leave the `access_key`, `secret_key`, and `session_token`
parameters unset in your configuration.
## Configuration
- `type` `(string: required)` - The type of authentication; must be `ec2` or `iam`.
- `role` `(string: required)` - The role to authenticate against on Vault.
- `credential_poll_interval` `(integer: optional)` - In seconds, how frequently the Vault agent should check for new credentials if using the iam type.
- `access_key` `(string: optional)` - When using static credentials, the access key to use.
- `secret_key` `(string: optional)` - When using static credentials, the secret key to use.
- `region` `(string: "us-east-1")` - The region to use for signing the authentication request. The
region Agent uses should match that corresponding to
[`sts_endpoint`](/api/auth/aws#sts_endpoint),
if a custom endpoint has been configured on the Vault server.
- `session_token` `(string: optional)` - The session token to use for authentication, if needed.
- `header_value` `(string: optional)` - If configured in Vault, the value to use for
[`iam_server_id_header_value`](/api/auth/aws#iam_server_id_header_value).
- `nonce` `(string: optional)` - If not provided, Vault will generate a new UUID every time `vault agent` runs.
If set, make sure you understand the importance of generating a good, unique `nonce` and protecting it.
See [Client Nonce](/docs/auth/aws#client-nonce) for more information.
## Learn
Refer to the [Vault Agent with
AWS](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-aws)
guide for a step-by-step tutorial.