Vault的使用继续深入,通常情况下都是先拿到valut的root token,然后登录设置aws的认证,同时把aws的iam root凭据灌进去,然后write进行论转,这样凭据就只存在于vault之中了,没有泄露的可能。然后从这个root凭据再派生成各种使用时长有限制的临时凭据用。
但是,嘿嘿,我偏偏没有root凭据,因为我是外面管理员。只能用 federation_token 进行登录。
那怎么使用呢?方法如下:
首先在AWS的IAM建立两个policy
# Federator 的policy,用于获得token
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
# Change-self-access-keys 的policy,用于轮转key
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
}
]
}
然后在Vault中设置使用AWS secrets
vault secrets enable aws
# aws中需要对应IAM的权限
# 要么是真有aws iam的用户;要么是有一个role,和对应的临时用户;二选一
vault write aws/config/root access_key=YYY \
secret_key=XXX region=us-east-1 \
sts_endpoint=https://sts.us-east-1.amazonaws.com sts_region=us-east-1
# 轮转root凭据,这样root凭据就只存在于vault中了
vault write -force aws/config/rotate-root
使用方法:
# 首先vault先建一个角色,这里的角色是ec2-admin:
vault write aws/roles/$role - < aws/roles/$role.json
内容如下:
{
"credential_type": "federation_token",
"default_sts_ttl": 300,
"iam_groups": null,
"max_sts_ttl": 3600,
"policy_arns": [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
],
"policy_document": ""
}
# 拿到AK
vault write aws/sts/ec2-admin ttl=15m
Key Value
--- -----
lease_id aws/sts/ec2-admin/NNN
lease_duration 14m59s
lease_renewable false
access_key XXX
secret_key YYY
security_token ZZZ
ttl 14m59s
正常使用AWS的凭据的文章: