vault
vault copied to clipboard
hashicorp
Option to generate AWS IAM Users with Web Console Access
It would be great if we could generate Username/Password for IAM users along with secret key and access id. A user can provide an additional flag for username/password and then vault could also be used as a much better PAM solution i believe.
I tried searching over documents but it does not mention if we could create IAM users with web console access, so it would really be a nice addition
Hi @jay-dee7 , thanks for opening this request.
Can I get some further clarification on your request? Am I right in thinking you'd like to be able to be able to do this call, but using the Vault UI's CLI to do it? Here's a screen shot of the CLI I'm talking about:
Have you attempted this already or are you mainly going off the lack of docs? If not, would you be willing to attempt it?
Thanks!
@tyrannosaurus-becks thanks for the quick follow up, i'm talking about extending the usage that you mentioned. If you see the output, it generates programmatic access credentials (secret access key and access key id), would it be possible to generate a username and password (random obviously) along side these keys, for an optional flag, etc?
@jay-dee7 -- I haven't tried it, but perhaps you could call sts:GetFederationToken with the returned credentials, and then use those credentials with the procedures described here to login to the Console? It's a bit of a hack but might work.
@tyrannosaurus-becks -- I believe what @jay-dee7 is asking for is for Vault to call iam:CreateLoginProfile on the returned credentials with a randomly generated password and then to return that password to the end users.
@joelthompson this looks like something that can totally work but i would really love to have some native functionality from vault. CreateLoginProfile is exactly what i'm talking about. This seems to be something pretty easy and i would love to submit a PR if it doesn't have any complications @tyrannosaurus-becks
Another option is to give the IAM users permission to set their own passwords, which they can do via the CLI and then use those passwords to login.
Anyway, I agree it should be pretty easy. I guess the main questions are:
- Should the username and password be returned for every
iam_usercredential or only some of them? I would think probably not, I know some folks are sensitive to credentials being used in only the console or NOT via the console, so I would think the answer should be no. - If not, how do we specify which Vault roles should return a username/password, which should return just API creds, and which should be both? I could see either a new
credential_type, say,console_user, which returns only the username and password, or maybe some other flag, say,credential_formatsthat could be something likeapi_keys(for all existing credential types) andusername_password(valid only foriam_usercredential type).
i totally agree with you @joelthompson i think it should be optional to create aws iam console credentials which can be toggled via some flag/json field. I see this might have some security concerns but i think it could be a good addition.
I as well agree. I tried to make this happen in pure vault and was surprised, that this was not included. I think it could be reasonably simple to implement?
@tyrannosaurus-becks @joelthompson should i try my luck here and try to open a PR for this? I see the label is set to enhancement so can I give it a shot?
Hi @jay-dee7 - I actually have moved on from HashiCorp! 😄 I think, though, that @kalafut might be a good person to ask.
hey @kalafut do you think it would be okay for me to work on this and raise a PR? or would we need to discuss this further and see if it doesn't aligns with vault's future direction?
This ticket is open for a while now, the workaround i do is
Vault generates an IAM access key & Secret key. I then add it on AWS Vault and aws-vault login <profile_name> . This gives me console access.
@jay-dee7 : do u have any other better solution that works please advice.
hi there :) any update on this? I was able to follow @chetanbothra's suggestion and it works but a better solution is needed because if I wanted too generate temporary console credentials for a user it means they would have to install aws-vault in their computer in order to login. Locally for testing using aws-vault works fine but any update on a better solution coming up in a release? 🤔
Let me also add our use case: We would like to use the AWS secrets engine in Vault to provide temporary credentials to our colleagues to an AWS playground account. While, in some cases, programmatic access is enough, many of them requests access to the Web console as well.
So the easiest solution that we found so far is to create a login-profile after one received the access and secret keys:
aws iam create-login-profile --user-name vault-ldap-YOURUSER-admin-... --password TestPassword2
Then with the username and password one can login at https://console.aws.amazon.com.
However, note that a login profile will prevent Vault to delete the temporary iam user so it will stay there forever! (opening a ticket about it soon)
This is an important use case to really rise AWS security and achieve "Zero AWS IAM Static Credentials" (removing risk on AWS IAM credentials management) and so reaching a Zero Trust Security solution on AWS.
As I know, the only barrier to do that with "Vault AWS Auth Method (types)" are AWS Console login credentials. This would make solution really valuable for developers (that need to check desired state of IaC code outcomes on current state using AWS Console) but would be very useful also for other stakeholders: Financial Teams (Billing management), Monitoring Team (Monitoring/Logging Dashbboard)s, etc.
It is clear that a developer can run command line to get temporary user credentials with api credentials but probably not all temporary api credentials should need permissions to self manage all their AWS IAM.
Vault has all data and can directly returns (probably with a little effort) temporary and random AWS Console credentials (also on Web UI for non-developer use) simplifying to achive "Zero AWS IAM Static Credentials" and improving a lot this auth method and Zero Trust Security benefits derived from Vault.
I think one solution would be to use AWS Secret Engine "iam_user" to get AWS IAM User access/secret keys and request a federated token (GetFederationToken).
With GetFederationToken response Vault can create URI like below that can directly be used to access AWS Console with AWS Iam User permisisons:
https://signin.aws.amazon.com/federation?Action=login&Issuer={issuername (e.g. vault)}&Destination=https://{region}.console.aws.amazon.com/console/home?region={region}&SigninToken={federated token}``
Not sure if this can help simplifying development of the feature, but you can see code taken by aws-vault tools:
login.go => sample code for requestSigninToken and url creation
The link (vault can output with access/secret keys) allows requester to access AWS Console with a Temporary Federated Token requested by Vault on behalf of AWS IAM user (temporary until Vault iam_user remove), with simple.
Response from GetFederationToken can be probably used for different use cases too.
This also seems to not engage useless complexity to create user profile, etc.
PS: probably Vault AWS Secret Engine type "federation_token" work in a similar way. but as I know a AWS IAM User is required for AWS Console access.
(Checked) Vault AWS Secret Engine type "federation_token" return federation token (as the name implies...).
To get a Login URL it is needed to get Sign-in Token (login.go => sample code for requestSigninToken) and return the Login URL (login.go => sample code for generateLoginURL.
This login URL can be created also for AssumeRole short-term (temporary) credentials. A feature like this so would be useful for both types: "assume_role" and "federation_token" that serve different use cases.