Skip to content

Latest commit

 

History

History
42 lines (30 loc) · 2.02 KB

README.md

File metadata and controls

42 lines (30 loc) · 2.02 KB

vault-iam-request

CircleCI Go Reports card Coverage Status

A small golang program to build the STS request used to perform Vault IAM-based auth in AWS.


Usage

vault-iam-request [OPTIONS]

Application Options:
  -r, --role= The Vault role to authenticate against
  -j, --json  Output data in JSON format
  -f, --file= Write output to file instead of stdout

Help Options:
  -h, --help  Show this help message
Credentials

vault-iam-request will need valid AWS credentials to be able to talk to STS. As we're re-using the Vault cli codebase, we automagically support authentication via the standard environment variables (AWS_*), credentials stored in ~/.aws/credentials as well instance profiles.

Concourse

vault-iam-request was developed to allow the integration of Vault as a Concourse secret backend without hardcoding a long-lived token. The output of vault-iam-request can be directly fed into vault_remote_auth_param and Concourse will use it to auth against a Vault role and obtain a token.

As STS call are timestamped, Concourse won't be able to use the same call again to re-auth if the token expires. For this reason, it's highly recommended to configure the Vault role to issue a
periodic token instead of a normal token. As long as Concourse will renew the token within the period, the ttl of the token will be reset and it will keep working. Should the token expire and not being renewable, ATC should be restarted with a new STS call.