aws secret engine

[Roxyrob]

Hi @TerryHowe,
I cannot see explicit module to support (AWS Secrets Engine). Do you provide aws secret engine using another module or do you have a plan to add a module for that ?

[TerryHowe]

Probably could use the generic secrets engine module, but I haven't tried it.

[Roxyrob]

Thank you @TerryHowe for your response and for the work for these ansible/hashicorp vault integration modules.

AWS secret engine need a secret engine backend definition (of type aws) like this:

vault secrets enable -path=awssample -max-lease-ttl=... -default-lease-ttl=... aws

So probably generic hashivault_secret_engine can do that. AWS Secrete engine need also a configuration for a IAM users vault will use to interact with AWS (create temporary IAM users or assume IAM roles):

vault write awssample/config/root \
  access_key=... \
  secret_key=... \
  region=...

and for AWS secret engine it is necessary a vault role to tell vault to create temporary IAM User or assume IAM role:

(assume IAM role)
vault write awssample/roles/vrole1 \
  role_arns=arn:aws:iam::account_id:role/awsrole1 \
  credential_type=assumed_role

  or

(create IAM user)
vault write awssample/roles/vrole2 \
  -explicit-max-ttl=... \
  credential_type=iam_user \
  policy_document=-<< EOH
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "...",
      "Resource": "..."
    }
  ]
}
EOH

Probably for vault write api calls I can fallback using module hashivault_write also if documentation says Consider using hashivault_secret instead. So ASAP I'll give a try to my assummptions at least until a specific hashivault_aws_secret... (as hashivault_azure_secret_engine one) will be available.

[TerryHowe]

Yeh, once the backend is configured, the normal read and write operations should work fine hashivault_secret or hashivault_write.