The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

AWS Dynamic Secrets

You can define an AWS dynamic secret to dynamically generate AWS access credentials based on IAM policies. You can create dynamic access credentials for AWS in two modes:

  • iam_user mode: When a client requests the dynamic secret value, a temporary IAM user is created for the requested AWS account, and an access key is returned for the client. Although the temporary IAM user's access can be revoked at any time, temporary IAM users can only be created with access to one AWS account. If you have multiple AWS accounts, you will need to define a separate dynamic secret for each account.

  • assumed_role mode: When a client requests the dynamic secret value, an AssumeRole operation is performed to return an access key, secret key, and session token. Although a single dynamic secret can assume roles for multiple accounts, due to AWS limitations, once access is granted, it cannot be revoked before its defined expiration time (a minimum of 15 minutes and a maximum of 12 hours).

Prerequsites

To define a dynamic secret for AWS, you first need to configure Akeyless to authenticate and communicate with AWS as follows:

📘

This procedure requires privileged account credentials.

  1. Create an AWS IAM user with privileged administrator access.

  2. Retrieve the access key ID and secret access key for the new AWS IAM user. These credentials are required to authenticate Akeyless with AWS.

    • If you are using iam_user mode, the minimum required policy for the user should include the following permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "iam:AttachUserPolicy",
                "iam:DeleteUser",
                "iam:ListUserPolicies",
                "iam:CreateUser",
                "iam:TagUser",
                "iam:CreateAccessKey",
                "iam:CreateLoginProfile",
                "iam:RemoveUserFromGroup",
                "iam:AddUserToGroup",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:DetachUserPolicy",
                "iam:GetLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:ListUserTags",
                "iam:ListAccessKeys"
            ],
            "Resource": "arn:aws:iam::516800367921:user/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:ListGroups"
            ],
            "Resource": "*"
        }
    ]
}

📘

AWS IAM Tip

You can create a new user and attach the policy above for the purposes of authenticating with AWS.

  • If you are using assumed_role mode, grant the user AssumeRole permissions to the requested IAM roles. For for more information see here.

Create a Dynamic Secret for AWS from the CLI

Let’s create a dynamic secret for AWS using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless API Gateway UI instead.

$ akeyless gateway-create-producer-aws -u <Your API GW URL > --name <secret name> \
--aws-access-key-id <id> \
--aws-access-secret-key <key> \
--aws-access-mode <iam_user|assumed_role> \
--aws-region <region> \

Create a Dynamic Secret for AWS from the Akeyless API Gateway UI

  1. In the Akeyless API Gateway UI, select Dynamic Secrets > New > AWS Producer.
  2. AWS distinguishes between access and authorization using different users, resource policies, and user groups. In order to perform an operation on a resource, the user must have been granted the appropriate permissions for that resource by way of either a policy or a user group. The AWS IAM docs outline the relevant policies and the permissions they grant.
    Accordingly, complete the values in the producer dialog box in order to enable the relevant permissions and access to AWS resources when using the relevant dynamic key, as described in the following table:

Field

Description

Producer Name

A unique name that describes the purpose or permissions scope of this dynamic secret.

Location

The path in which to store this dynamic secret.

Access Mode

The AWS access mode, either IAM User or Assume Role.

Access Key ID

The access key ID assigned to the admin user you created to authenticate Akeyless with AWS.

Secret Access Key

The secret access key assigned to the admin user you created to authenticate Akeyless with AWS.

Region

The AWS region that the temporary credentials are permitted to access.

Session Token

If you wish to grant temporary security credentials retrieved via the AWS security token service (STS), enter this token. Otherwise, it can be left empty.

User Policies

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Insert the individual Policy ARN(s) available for this producer. Multiple values should be separated by a comma.

User Groups

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Enter UserGroup name(s) that have authorization you'd like to give users of this dynamic key. Multiple values should be separated by a comma.

Role ARNs

AWS Role ARNs to be use in the Assume Role operation (relevant only for Assume_Role mode).

User Programmatic Access

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Check to enable an access key ID and secret access key for the AWS API, CLI, SDK.

User Console Access

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Check to enable access to the AWS management console (enables a password that allows users to sign-in to the AWS Management Console).

Encrypt dynamic secret with the following Key

To enable zero-trust, select a key with a Customer Fragment. For more information about zero-trust, see Zero Trust Encryption .

Updated about a month ago

AWS Dynamic Secrets


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.