DEV Community

loading...

HashiCorp Vault+AWS Secrets+Rotation tool?

dietertroy profile image Troy ・1 min read

In the process of implementing HashiCorp Vault and utilizing the AWS secrets engine. We have LDAP set up as an auth method and users are able to curl the vault endpoint to pull credentials:

curl --request POST --data @payload.json https://vault-api.test.com/v1/auth/ldap/login/me | jq '.'

curl --header "X-Vault-Token: mytoken" --request GET https://vault-api.test.com/v1/aws/creds/grp-aws-r-usersrole | jq
Enter fullscreen mode Exit fullscreen mode

Access keys are granted - does anyone know of a script/tool that's already in place that:

  1. Securely creates the payload.json with your LDAP password
  2. CURL's the Vault endpoint with the payload
  3. Deletes the payload file
  4. Retrieves the token
  5. CURL's the Vault endpoint with the token to retrieve the ephemeral access keys
  6. Loads the access keys in the .aws/credentials store

I've used https://github.com/Fullscreen/aws-rotate-key before we moved to Vault but it's no longer applicable.

Should I write something and share?

Discussion (1)

Collapse
dietertroy profile image
Forem Open with the Forem app