In the process of implementing HashiCorp Vault and utilizing the AWS secrets engine. We have LDAP set up as an auth method and users are able to curl the vault endpoint to pull credentials:
curl --request POST --data @payload.json https://vault-api.test.com/v1/auth/ldap/login/me | jq '.' curl --header "X-Vault-Token: mytoken" --request GET https://vault-api.test.com/v1/aws/creds/grp-aws-r-usersrole | jq
Access keys are granted - does anyone know of a script/tool that's already in place that:
- Securely creates the payload.json with your LDAP password
- CURL's the Vault endpoint with the payload
- Deletes the payload file
- Retrieves the token
- CURL's the Vault endpoint with the token to retrieve the ephemeral access keys
- Loads the access keys in the .aws/credentials store
I've used https://github.com/Fullscreen/aws-rotate-key before we moved to Vault but it's no longer applicable.
Should I write something and share?