AWS Dynamic Secrets

You can define a dynamic AWS secret to dynamically generate AWS access credentials based on IAM policies.

You can create dynamic access credentials for AWS in two modes:

  • iam_user mode: When a client requests a dynamic secret value, a temporary IAM user is created for the requested AWS account, and an access key is returned to the client.

Although the temporary IAM user's access can be revoked at any time, temporary IAM users can only be created with access to a single AWS account. If you have multiple AWS accounts, you will need to create a separate dynamic secret for each account.

  • assumed_role mode: When a client requests the dynamic secret value, an AssumeRole operation is performed to return an access key, secret key, and session token.

Although a single dynamic secret can assume roles for multiple accounts, due to AWS limitations, once access is granted, it cannot be revoked before its defined expiration time (a minimum of 15 minutes and a maximum of 12 hours).

Prerequsites

To define a dynamic secret for AWS, you first need to configure Akeyless to authenticate and communicate with AWS as follows:

📘

Note

This procedure requires privileged account credentials.

  1. Create an AWS IAM user with privileged administrator access.

  2. Retrieve the access key ID and secret access key for the new AWS IAM user. These credentials are required to authenticate with AWS.

    • If you are using iam_user mode, the minimum required policy for the user should include the following permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "iam:AttachUserPolicy",
                "iam:DeleteUser",
                "iam:ListUserPolicies",
                "iam:CreateUser",
                "iam:TagUser",
                "iam:CreateAccessKey",
                "iam:CreateLoginProfile",
                "iam:RemoveUserFromGroup",
                "iam:AddUserToGroup",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:DetachUserPolicy",
                "iam:GetLoginProfile",
                "iam:DeleteLoginProfile",
                "iam:ListUserTags",
                "iam:ListAccessKeys"
            ],
            "Resource": "arn:aws:iam::516-your-aws-account-id-921:user/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:ListGroups"
            ],
            "Resource": "*"
        }
    ]
}

📘

AWS IAM Tip

You can create a new user and attach the policy above for the purposes of authenticating with AWS.

  • If you are using assumed_role mode, grant the user AssumeRole permissions to the requested IAM roles. For for more information see the AWS Assume Role documentation.

Create a Dynamic AWS Secret from the CLI

👍

Tip

To set up a dynamic secret, you can either configure a connection to the target server first or provide all parameters of the target server in the secret creation command.

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

To create a dynamic AWS secret from the CLI using the existing target, run the following command:

akeyless gateway-create-producer-aws \
--name <secret name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the AWS server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: API Gateway URL.

  • aws-access-mode: The types of credentials to retrieve from AWS. The following options are available: iam_user,assume_role.

  • aws-user-policies: Policy ARN(s). Multiple values should be separated by a comma.

  • aws-user-groups: UserGroup name(s). Multiple values should be separated by a comma.

  • aws-role-arns: AWS Role ARNs to be used in the Assume Role operation. Multiple values should be separated by a comma.

If you don't have a configured AWS target yet, you can use the command with target server connection parameters:

akeyless gateway-create-producer-aws \
--name <secret name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs> \
--aws-access-key-id <Access ID> \
--aws-access-secret-key <Access Key> \
--aws-region <Region>

Where:

  • aws-access-key-id: The Access ID of the admin user you created to authenticate Akeyless with AWS.

  • aws-access-secret-key: The Access Key of the admin user you created to authenticate Akeyless with AWS.

  • aws-region: The AWS region that the temporary credentials are permitted to access.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic AWS Secret value from the CLI

To fetch a dynamic AWS secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic AWS Secret in the Akeyless Console

👍

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the AWS secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Target mode: In this section, you can either select an existing AWS Target or specify details of the target AWS server explicitly (e.g., if you are not authorized to create and access Targets in the Akeyless Console).

    • Use the Choose an existing target drop-down list to select the existing AWS Target.

    • Check the Explicitly specify target properties radio button to provide details of the target AWS Server on the next step of the wizard.

👍

Tip

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

  • Access Mode: Select the AWS access mode, either IAM User or Assume Role.

  • Policies: Provide the individual Policy ARN(s) available for this dynamic secret. Multiple values should be separated by a comma.

  • Groups: Provide the UserGroup name(s). Multiple values should be separated by a comma.

  • Role ARNs: Provide the allowed AWS Role ARNs to be used in the Assume Role mode.

  • User Programmatic Access: Check to enable an Access ID and Access Key for the AWS API, CLI, SDK.

  • User Console Access: Check to enable access to the AWS management console. (The returned object will include a username and password to connect to the AWS Management Console).

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide details of the target AWS server:

  • Access Key ID: Specify the Access ID assigned to the admin user you created to authenticate Akeyless with AWS.

  • Secret Access Key: Specify the Access Key assigned to the admin user you created to authenticate Akeyless with AWS.

  • Region: Enter the AWS region that the temporary credentials are permitted to access.

  • Session Token: Token is required only for temporary security credentials retrieved via STS. Otherwise, it can be left empty.

  1. Click Finish.

Fetch a Dynamic AWS Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.


Did this page help you?