Improve docs for vault iam auth #104
Conversation
| # AWS credentials. | ||
| # AWS credentials. It was modified from the python 2.x example published by | ||
| # J. Thompson, the author of the Vault IAM auth method, at the vault support | ||
| # mailing list. |
examples/vault-iam-auth/README.md
Outdated
| @@ -57,28 +50,48 @@ of the Vault nodes. | |||
|
|
|||
| ### Vault Authentication using IAM user or role | |||
|
|
|||
| To read more about Vault IAM auth, refer to [Vault AWS Auth documentation][aws_auth]. | |||
| IAM auth is a process in which Vault leverages on AWS STS (Security Token Service) to | |||
There was a problem hiding this comment.
No need for the word "on"
examples/vault-iam-auth/README.md
Outdated
| [`ec2` auth method example][ec2_example]. | ||
|
|
||
| The workflow is that the client trying to authenticate will create a request to | ||
| the method `GetCallerIdentity` of the AWS STS API. This method basically answers |
There was a problem hiding this comment.
create a request (but not send!)
examples/vault-iam-auth/README.md
Outdated
| the STS request without actually knowing the contents of the signed part. It then | ||
| receives a response from STS identifying who signed it, which the Vault Server then | ||
| can check against the ARN of the IAM principal bounded to a previously created Vault | ||
| Role and decide if it should be allowed to authenticate or not. |
There was a problem hiding this comment.
Maybe because it's not my first time reading it, but I find your explanation clearer than the Vault docs 👍
examples/vault-iam-auth/README.md
Outdated
| #### With an HTTP request | ||
|
|
||
| The [vault-consul-ami][vault_consul_ami] includes a [python script][py_sign] called | ||
| `sign-request.py`. We use python here instead of bash so we take advantage of the |
|
|
||
| The [vault-consul-ami][vault_consul_ami] includes a [python script][py_sign] called | ||
| `sign-request.py`. We use python here instead of bash so we take advantage of the | ||
| `boto3` AWS SDK library. This script is a modified version of the Python 2.x example |
There was a problem hiding this comment.
(the same pattern should work with the AWS SDK in any other supported language such as Go, Java, Ruby, ...)
examples/vault-iam-auth/README.md
Outdated
| creds=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<AWS-IAM-ROLE-NAME>) | ||
| export AWS_ACCESS_KEY_ID=$(echo $creds | jq -r .AccessKeyId) | ||
| export AWS_SECRET_ACCESS_KEY=$(echo $creds | jq -r .SecretAccessKey) | ||
| export AWS_SESSION_TOKEN=$(echo $creds | jq -r .Token) |
There was a problem hiding this comment.
Hm, are you sure you have to extract AWS creds from EC2 metadata here? All the AWS SDK tools I've ever used (which includes Vault) know to look for these creds automatically, with you having to set those env vars.
There was a problem hiding this comment.
I tried without this and I didn't succeed, maybe the fault was on me or something I did and it should have worked? Hm... Maybe I'll try again
There was a problem hiding this comment.
duh, I was passing the iam role name instead of the vault role name 🤦♀️
|
Notify |
No description provided.