Skip to content

VaultEc2

Jump to bottom
John Ioannidis edited this page Jun 24, 2019 · 1 revision

See https://www.vaultproject.io/docs/auth/aws.html for general reference.

Assumptions:

  • Vault is running in EC2.

Before you start, ensure that the output type for the AWS CLI is json, and that you have the jq utility installed.

  1. Save this policy file:

     cat > vault-ec2-policy.json <<@EOF
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "ec2:DescribeInstances",
                 "iam:GetInstanceProfile",
                 "iam:GetUser",
                 "iam:GetRole"
             ],
             "Resource": "*"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "sts:AssumeRole"
             ],
             "Resource": "arn:aws:iam:::role/VaultOnEc2"
         }
     ]
 }
 @EOF

  2. Save this assume-policy-document file:

     cat > vault-ec2-assume-policy-document.json <<@EOF
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Action": "sts:AssumeRole",
             "Effect": "Allow",
             "Principal": {
                 "Service": "ec2.amazonaws.com"
             }
         }
     ]
 }
 @EOF

  3. Create the role to run Vault under:

     aws iam create-role \
   --role-name ji-testing-vault-ec2 \
   --description 'Run Vault under this role' \
   --assume-role-policy-document "$(cat vault-ec2-assume-policy-document.json)"

    aws iam create-policy
    --policy-name VaultServer
    --policy-document
    '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "iam:GetInstanceProfile", "iam:GetUser", "iam:GetRole" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam:::role/" } ] } '

Clone this wiki locally