Skip to content

Instantly share code, notes, and snippets.

@devops-adeel

devops-adeel/aws_user_vault.tf

Last active April 22, 2022 16:28
Show Gist options
  • Save devops-adeel/fdc0685a51e58bd89476118daa319c01 to your computer and use it in GitHub Desktop.
Save devops-adeel/fdc0685a51e58bd89476118daa319c01 to your computer and use it in GitHub Desktop.
Download ZIP
Vault AWS Auth Method - with Rotate Root Credentials invoked.
Raw
aws_user_vault.tf
data "aws_iam_policy_document" "default" {
version = "2012-10-17"
statement {
sid = "AllowVaultAuth"
effect = "Allow"
resources = ["*"]
actions = [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole"
]
}
statement {
sid = "ManageOwnAccessKeys"
effect = "Allow"
resources = aws_iam_user.default.arn
actions = [
"iam:GetUser",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
]
}
}
resource "aws_iam_user" "default" {
name = "vault-aws-auth-user"
tags = {
Description = "IAM user for Vault AWS Authentication."
}
}
resource "aws_iam_user_policy" "default" {
name = "vault"
user = aws_iam_user.default.name
policy = data.aws_iam_policy_document.default.json
}
Raw
vault_aws_auth.tf
resource "aws_iam_access_key" "default" {
user = aws_iam_user.default.name
}
resource "vault_auth_backend" "default" {
type = "aws"
}
resource "vault_aws_auth_backend_client" "default" {
backend = vault_auth_backend.default.path
access_key = aws_iam_access_key.default.id
secret_key = aws_iam_access_key.default.secret
}
resource "vault_generic_endpoint" "rotate_root" {
path = format("%s/config/rotate-root", vault_aws_auth_backend_client.default.backend)
ignore_absent_fields = true
data_json = jsonencode({})
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment