| Variable | Default | Example |
|---|---|---|
| VAULT_ADDR | https://vault.example.com:8200 | |
| VAULT_ROLE | aws_readonly | |
| VAULT_TTL | 3600 | 60 |
| VAULT_AUTH | radius or approle or ldap | ldap |
| VAULT_CRED | to stdout | ./credentials |
| VAULT_MOUNT | secret | |
| VAULT_SECRET | gitlab | |
| VAULT_TLS_VER | True |
| Variable | Default |
|---|---|
| VAULT_USER | ROLE_ID |
| VAULT_PASS | SECRET_ID |
| Variable | Default |
|---|---|
| VAULT_USER | |
| VAULT_PASS |
| Variable | Default |
|---|---|
| VAULT_USER | |
| VAULT_PASS |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
2. Create Role, arn:aws:iam:::role/VaultAdmin with attached policy arn:aws:iam:::policy/VaultAdminPolicy and configure Trusted relationship with account from step 0.
3. Enable Vault Secret Engine with Access_Key and Secret_Key for account from step 0 and nesessary timeouts.
4. Create role default.admin in AWS Secret Engine with type AssumedRole and Role Arn: arn:aws:iam::*:role/VaultAdmin
5. Configure Authentication in Vault with Methods radius, app-role or ldap(tbd) and policy which would grant access to AWS Secrets Engine:
# Read and Update aws/sts/*
path "aws/sts/*"
{
capabilities = ["read","update"]
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::*:role/VaultAdmin
username: system:node:vaultadmin
groups:
- system:masters
docker run \
-e VAULT_AUTH="ldap" \
-e VAULT_ADDR="https://vault.example.local:8200" \
-e VAULT_USER="some_user" \
-e VAULT_PASS="some_password" \
-e VAULT_ROLE="default.admin" \
-e VAULT_TTL=60 \
alphaceti/aws-vaulty:0.1.3
