#vault (2020-01)

I’m a bit confused by the AWS auth backend. Am I allowed to authenticate to Vault via AWS sts credentials from my local machine, or do I need to be on an EC2 when I assume a role so the metadata endpoint is present?

Essentially, is it possible to eventually say something like this on my local terminal: aws-vault exec sandbox-role -- vault login --method aws and then vault kv read ...?

Yes, you can totally use this on your local machine

(and it also works with the metadata endpoint, if you happen to be in EC2)

also, aws-vault provides it’s own “mock” AWS metadata service if you use the --server mode

We have some rough docs here on how we use it: https://docs.cloudposse.com/tools/aws-vault/

not sure if they will help you

That does help, thanks!

It looks like I can use https://www.terraform.io/docs/providers/vault/r/aws_auth_backend_role.html and do something like:

resource "vault_aws_auth_backend_role" "local_iam_user_role" {
  role                     = "some_role_name"
  auth_type                = "iam"
  bound_iam_principal_arns = ["arn:aws:iam::<account_id>:role/SomeRoleOnlyAdminsHaveAccessTo"]
  token_policies           = ["admin"]
}

and then use credentials from aws-vault for the the role SomeRoleOnlyAdminsHaveAccessTo

A very blondie question… Vault… I’d assume you always want to firewall it? It’s anyway your secrets-API…

How would one restart a vault server? Or otherwise, how could I apply new changes to the config hcl file?