Akeyless Vault

The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

AWS Producer

Suggest Edits

The AWS Producer generates AWS access credentials dynamically based on IAM policies. In order to create dynamic keys for AWS access, you need to first configure Akeyless to authenticate and communicate with AWS. This requires privileged account credentials.

Prerequisites

To create a producer, first:

  1. Create an AWS IAM user with privileged administrator access.
  2. Retrieve the access key ID and secret access key for that user in order to authenticate Akeyless with AWS.

The minimum required policy for such a user should included the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "iam:AttachUserPolicy",
                "iam:DeleteUser",
                "iam:ListUserPolicies",
                "iam:CreateUser",
                "iam:TagUser",
                "iam:CreateAccessKey",
                "iam:CreateLoginProfile",
                "iam:RemoveUserFromGroup",
                "iam:AddUserToGroup",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:DetachUserPolicy",
                "iam:GetLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:ListUserTags",
                "iam:ListAccessKeys"
            ],
            "Resource": "arn:aws:iam::516800367921:user/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:ListGroups"
            ],
            "Resource": "*"
        }
    ]
}

📘

An AWS IAM tip

You can simply create a new user and attach only the policy above for the purposes of authenticating with AWS and it should work.

AWS Producer

  1. Navigate to localhost:8000 and log in using your Gateway credentials. See Install and configure the Gateway for more information.
  2. Navigate to Dynamic Secrets from the left navigation panel:
  1. Select New=>AWS Producer. The Create a new AWS Producer window pops up:
  1. AWS distinguishes between access and authorization using different users, resource policies and user groups. In order to perform an operation on a resource, the user must have been granted the appropriate permissions for that resource by way of either a policy or a user group. The AWS IAM docs outline the relevant policies and the permissions they grant.

Accordingly, complete the values in the producer dialog box in order to enable the relevant permissions and access to AWS resources when using the relevant dynamic key, as described in the following table:

Field

Description

  • Producer Name

Enter a unique name that describes the purpose or permissions scope of this producer.

  • Location

Indicate where to store this producer in Akeyless.

  • Access Key ID

The access key ID assigned to the admin user you created in order to authenticate Akeyless with AWS.

  • Secret Access Key

The secret access key assigned to the admin user you created in order to authenticate Akeyless with AWS.

  • Region

The AWS region which the temporary credentials are permitted to access.

  • Session Token

If you wish to grant temporary security credentials retrieved via the AWS security token service (STS), enter this token. Otherwise, it can be left empty.

  • User Policies

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Insert the individual Policy ARN(s) available for this producer. Multiple values should be separated by a comma.

  • User Groups

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Enter UserGroup name(s) that have authorization you'd like to give users of this dynamic key. Multiple values should be separated by a comma.

  • User Programmatic Access

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Check to enable an access key ID and secret access key for the AWS API, CLI, SDK.

  • User Console Access

All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key.

Check to enable access to the AWS management console (enables a password that allows users to sign-in to the AWS Management Console).

Encrypt dynamic secret with the following Key

To enable zero-trust, select a key with a Customer Fragment. For more information about zero-trust, see Zero Trust Encryption .

Updated about a month ago

AWS Producer

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.