0941c7a24a
* Make AWS credential types more explicit The AWS secret engine had a lot of confusing overloading with role paramemters and how they mapped to each of the three credential types supported. This now adds parameters to remove the overloading while maintaining backwards compatibility. With the change, it also becomes easier to add other feature requests. Attaching multiple managed policies to IAM users and adding a policy document to STS AssumedRole credentials is now also supported. Fixes #4229 Fixes #3751 Fixes #2817 * Add missing write action to STS endpoint * Allow unsetting policy_document with empty string This allows unsetting the policy_document by passing in an empty string. Previously, it would fail because the empty string isn't a valid JSON document. * Respond to some PR feedback * Refactor and simplify role reading/upgrading This gets rid of the duplicated role upgrade code between both role reading and role writing by handling the upgrade all in the role reading. * Eliminate duplicated AWS secret test code The testAccStepReadUser and testAccStepReadSTS were virtually identical, so they are consolidated into a single method with the path passed in. * Switch to use AWS ARN parser
11 KiB
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| api | AWS - Secrets Engines - HTTP API | docs-http-secret-aws | This is the API documentation for the Vault AWS secrets engine. |
AWS Secrets Engine (API)
This is the API documentation for the Vault AWS secrets engine. For general information about the usage and operation of the AWS secrets engine, please see the Vault AWS documentation.
This documentation assumes the AWS secrets engine is enabled at the /aws path
in Vault. Since it is possible to enable secrets engines at any location, please
update your API calls accordingly.
Configure Root IAM Credentials
This endpoint configures the root IAM credentials to communicate with AWS. There are multiple ways to pass root IAM credentials to the Vault server, specified below with the highest precedence first. If credentials already exist, this will overwrite them.
The official AWS SDK is used for sourcing credentials from env vars, shared files, or IAM/ECS instances.
-
Static credentials provided to the API as a payload
-
Credentials in the
AWS_ACCESS_KEY,AWS_SECRET_KEY, andAWS_REGIONenvironment variables on the server -
Shared credentials files
-
Assigned IAM role or ECS task role credentials
At present, this endpoint does not confirm that the provided AWS credentials are valid AWS credentials with proper permissions.
| Method | Path | Produces |
|---|---|---|
POST |
/aws/config/root |
204 (empty body) |
Parameters
-
max_retries(int: -1)- Number of max retries the client should use for recoverable errors. The default (-1) falls back to the AWS SDK's default behavior. -
access_key(string: <required>)– Specifies the AWS access key ID. -
secret_key(string: <required>)– Specifies the AWS secret access key. -
region(string: <optional>)– Specifies the AWS region. If not set it will use theAWS_REGIONenv var,AWS_DEFAULT_REGIONenv var, orus-east-1in that order. -
iam_endpoint(string: <optional>)– Specifies a custom HTTP IAM endpoint to use. -
sts_endpoint(string: <optional>)– Specifies a custom HTTP STS endpoint to use.
Sample Payload
{
"access_key": "AKIA...",
"secret_key": "2J+...",
"region": "us-east-1"
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/aws/config/root
Configure Lease
This endpoint configures lease settings for the AWS secrets engine. It is
optional, as there are default values for lease and lease_max.
| Method | Path | Produces |
|---|---|---|
POST |
/aws/config/lease |
204 (empty body) |
Parameters
-
lease(string: <required>)– Specifies the lease value provided as a string duration with time suffix. "h" (hour) is the largest suffix. -
lease_max(string: <required>)– Specifies the maximum lease value provided as a string duration with time suffix. "h" (hour) is the largest suffix.
Sample Payload
{
"lease": "30m",
"lease_max": "12h"
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/aws/config/lease
Read Lease
This endpoint returns the current lease settings for the AWS secrets engine.
| Method | Path | Produces |
|---|---|---|
GET |
/aws/config/lease |
200 application/json |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/aws/config/lease
Sample Response
{
"data": {
"lease": "30m0s",
"lease_max": "12h0m0s"
}
}
Create/Update Role
This endpoint creates or updates the role with the given name. If a role with
the name does not exist, it will be created. If the role exists, it will be
updated with the new attributes.
| Method | Path | Produces |
|---|---|---|
POST |
/aws/roles/:name |
204 (empty body) |
Parameters
-
name(string: <required>)– Specifies the name of the role to create. This is part of the request URL. -
credential_type(string: <required>)– Specifies the type of credential to be used when retrieving credentials from the role. Must be one ofiam_user,assumed_role, orfederation_token. -
role_arns(list: [])– Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required whencredential_typeisassumed_roleand prohibited otherwise. This is a comma-separated string or JSON array. -
policy_arns(list: [])– Specifies the ARNs of the AWS managed policies to be attached to IAM users when they are requsted. Valid only whencredential_typeisiam_user. Whencredential_typeisiam_user, at least one ofpolicy_arnsorpolicy_documentmust be specified. This is a comma-separated string or JSON array. -
policy_document(string)– The IAM policy document for the role. The behavior depends on the credential type. Withiam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_roleandfederation_token, the policy document will act as a filter on what the credentials can do.
Legacy parameters:
These parameters are supported for backwards compatibility only. They cannot be mixed with the parameters listed above.
-
policy(string: <required unless arn provided>)– Specifies the IAM policy in JSON format. -
arn(string: <required unless policy provided>)– Specifies the full ARN reference to the desired existing policy.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/aws/roles/example-role
Sample Payloads
Using an inline IAM policy:
{
"credential_type": "federation_token",
"policy_document": "{\"Version\": \"...\"}"
}
Using an ARN:
{
"credential_type": "assumed_role",
"role_arns": "arn:aws:iam::123456789012:role/DeveloperRole"
}
Read Role
This endpoint queries an existing role by the given name. If the role does not exist, a 404 is returned.
| Method | Path | Produces |
|---|---|---|
GET |
/aws/roles/:name |
200 application/json |
If invalid role data was supplied to the role from an earlier version of Vault,
then it will show up in the response as invalid_data.
Parameters
name(string: <required>)– Specifies the name of the role to read. This is part of the request URL.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/aws/roles/example-role
Sample Responses
For an inline IAM policy:
{
"data": {
"policy_document": "{\"Version\": \"...\"}",
"policy_arns": [],
"credential_types": ["assumed_role"],
"role_arns": [],
}
}
For a role ARN:
{
"data": {
"policy_document": "",
"policy_arns": [],
"credential_types": ["assumed_role"],
"role_arns": ["arn:aws:iam::123456789012:role/example-role"]
}
}
List Roles
This endpoint lists all existing roles in the secrets engine.
| Method | Path | Produces |
|---|---|---|
LIST |
/aws/roles |
200 application/json |
Sample Request
$ curl
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/aws/roles
Sample Response
{
"data": {
"keys": [
"example-role"
]
}
}
Delete Role
This endpoint deletes an existing role by the given name. If the role does not exist, a 404 is returned.
| Method | Path | Produces |
|---|---|---|
DELETE |
/aws/roles/:name |
204 (empty body) |
Parameters
name(string: <required>)– Specifies the name of the role to delete. This is part of the request URL.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/aws/roles/example-role
Generate Credentials
This endpoint generates credentials based on the named role. This role must be created before queried.
| Method | Path | Produces |
|---|---|---|
GET |
/aws/creds/:name |
200 application/json |
GET |
/aws/sts/:name |
200 application/json |
The /aws/creds and /aws/sts endpoints are almost identical. The exception is
when retrieving credentials for a role that was specified with the legacy arn
or policy parameter. In this case, credentials retrieved through /aws/sts
must be of either the assumed_role or federation_token types, and
credentials retrieved through /aws/creds must be of the iam_user type.
Parameters
name(string: <required>)– Specifies the name of the role to generate credentials against. This is part of the request URL.role_arn(string)– The ARN of the role to assume ifcredential_typeon the Vault role isassumed_role. Must match one of the allowed role ARNs in the Vault role. Optional if the Vault role only allows a single AWS role ARN; required otherwise.ttl(string: "3600s")– Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only whencredential_typeisassumed_roleorfederation_token. AWS places limits on the maximum TTL allowed. See the AWS documentation on theDurationSecondsparameter for AssumeRole (forassumed_rolecredential types) and GetFederationToken (forfederation_tokencredential types) for more details.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/aws/creds/example-role
Sample Response
{
"data": {
"access_key": "AKIA...",
"secret_key": "xlCs...",
"security_token": null
}
}