I followed the guide at https://www.hashicorp.com/resources/best-practices-using-hashicorp-terraform-with-hashicorp-vault.
It's good, but when I use Terraform to get dynamically created AWS creds from Vault I get a 403 error.
I've solved the problem, but I don't quite understand why I need to add the additional capability (especially since it wasn't in the guide) and what problematic side-effects it may have.
Non-working policy:
path "aws/creds/dev-role" {
capabilities=["read"]
}
Working policy:
path "aws/creds/dev-role" {
capabilities=["read"]
}
path "auth/token/create" {
capabilities=["update"]
}
The expected result is that when I run "terraform plan" it gives me a list of things it's going to do.
The error I get when I don't include the "update" capability is:
provider.vault: failed to create limited child token: Error making API request.
RL: POST https://:8200/v1/auth/token/create Code: 403. Errors:
1 error occurred:
permission denied
Secrets engines are components which store, generate, or encrypt data. Secrets engines are incredibly flexible, so it is easiest to think about them in terms of their function. Secrets engines are provided some set of data, they take some action on that data, and they return a result.
You can add, edit or delete paths and secrets in your Vault service instance. A path specifies the storage location of your secret. Vault service storage mechanism is similar to virtual file system.
Read a secret As you might expect, secrets can be retrieved with vault kv get . Vault returns the latest version (in this case version 2 ) of the secrets at secret/hello . To print only the value of a given field, use the -field=<key_name> flag.
First, as a Vault Admin, you will configure AWS Secrets Engine in Vault. Then, as a Terraform Operator, you will connect to the Vault instance to retrieve dynamic, short-lived AWS credentials generated by the AWS Secrets Engine to provision an Ubuntu EC2 instance.
My understanding is that the Vault provider does not just try to use the Vault token returned from the AWS auth result, but tries to make a temporary child token from the returned token so that the vault provider can specify how long it wants the child token to live.
This also makes it easier to kill some child tokens later if you want to, while leaving other tokens generated from your AWS credentials alive.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With