You can define an AWS dynamic secret to dynamically generate AWS access credentials based on IAM policies. You can create dynamic access credentials for AWS in two modes:
-
iam_user mode: When a client requests the dynamic secret value, a temporary IAM user is created for the requested AWS account, and an access key is returned for the client. Although the temporary IAM user's access can be revoked at any time, temporary IAM users can only be created with access to one AWS account. If you have multiple AWS accounts, you will need to define a separate dynamic secret for each account.
-
assumed_role mode: When a client requests the dynamic secret value, an AssumeRole operation is performed to return an access key, secret key, and session token. Although a single dynamic secret can assume roles for multiple accounts, due to AWS limitations, once access is granted, it cannot be revoked before its defined expiration time (a minimum of 15 minutes and a maximum of 12 hours).
Prerequsites
To define a dynamic secret for AWS, you first need to configure Akeyless to authenticate and communicate with AWS as follows:
This procedure requires privileged account credentials.
-
Create an AWS IAM user with privileged administrator access.
-
Retrieve the access key ID and secret access key for the new AWS IAM user. These credentials are required to authenticate Akeyless with AWS.
- If you are using
iam_usermode, the minimum required policy for the user should include the following permissions:
- If you are using
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:DeleteAccessKey",
"iam:AttachUserPolicy",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:DetachUserPolicy",
"iam:GetLoginProfile",
"iam:DeleteLoginProfile",
"iam:ListUserTags",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::516800367921:user/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListGroups"
],
"Resource": "*"
}
]
}
AWS IAM Tip
You can create a new user and attach the policy above for the purposes of authenticating with AWS.
- If you are using
assumed_rolemode, grant the user AssumeRole permissions to the requested IAM roles. For for more information see here.
Create a Dynamic Secret for AWS from the CLI
Let’s create a dynamic secret for AWS using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless API Gateway UI instead.
$ akeyless gateway-create-producer-aws -u <Your API GW URL > --name <secret name> \
--aws-access-key-id <id> \
--aws-access-secret-key <key> \
--aws-access-mode <iam_user|assumed_role> \
--aws-region <region> \
Create a Dynamic Secret for AWS from the Akeyless API Gateway UI
- In the Akeyless API Gateway UI, select Dynamic Secrets > New > AWS Producer.
- AWS distinguishes between access and authorization using different users, resource policies, and user groups. In order to perform an operation on a resource, the user must have been granted the appropriate permissions for that resource by way of either a policy or a user group. The AWS IAM docs outline the relevant policies and the permissions they grant.
Accordingly, complete the values in the producer dialog box in order to enable the relevant permissions and access to AWS resources when using the relevant dynamic key, as described in the following table:
Field | Description |
|---|---|
Producer Name | A unique name that describes the purpose or permissions scope of this dynamic secret. |
Location | The path in which to store this dynamic secret. |
Access Mode | The AWS access mode, either IAM User or Assume Role. |
Access Key ID | The access key ID assigned to the admin user you created to authenticate Akeyless with AWS. |
Secret Access Key | The secret access key assigned to the admin user you created to authenticate Akeyless with AWS. |
Region | The AWS region that the temporary credentials are permitted to access. |
Session Token | If you wish to grant temporary security credentials retrieved via the AWS security token service (STS), enter this token. Otherwise, it can be left empty. |
User Policies | All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Insert the individual Policy ARN(s) available for this producer. Multiple values should be separated by a comma. |
User Groups | All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Enter UserGroup name(s) that have authorization you'd like to give users of this dynamic key. Multiple values should be separated by a comma. |
Role ARNs | AWS Role ARNs to be use in the Assume Role operation (relevant only for Assume_Role mode). |
User Programmatic Access | All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Check to enable an access key ID and secret access key for the AWS API, CLI, SDK. |
User Console Access | All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Check to enable access to the AWS management console (enables a password that allows users to sign-in to the AWS Management Console). |
Encrypt dynamic secret with the following Key | To enable zero-trust, select a key with a Customer Fragment. For more information about zero-trust, see Zero Trust Encryption . |
Updated about a month ago