In the last articles , I explained about Secrets engine and as of now what ever secrets I created were static. Vault also provides a feature to generate dynamic credentials.This is the subject of this article.
Few Secrets engine supports dynamic secrets where credentials need not to be stored at any place, they are generated when a user requests for it. Credentials are valid for a decided period of time ( default is 1 hour).You can manually revoke a lease as well.
Here I will demonstrate how to generate AWS credentials dynamically.For this you should have ab AWS account.Once you have created one, follow the below steps.
Login to vault console -- Enable new engine -- Select AWS type -- Leave everything as default and enable the engine.
Next step will be to configure a role which would be assumed whenever vault will generate credentials.For this login to AWS console and create role with desired access.
Next comes the configuration between vault and AWS account for which vault has to generate credentials.
For this create a new user in AWS account ("vaultuser") and give it administrator level access (just for the demo purpose and sake of simplicity). Give vautltuser programmatic access and generate it's AWS access key and secret key.
Once this is done. go back to the vault console and under configuration provide the keys.
After saving the credentials user will be able to generate dynamic AWS credentials
Next point to ponder upon is what happens on the back end ? How credentials are generated. The answer is simple, when a user requests for the credentials, a temporary user is created for a time period equal to the lease time.( This will be covered in more detail in the next article) and this user's credentials are given to the requester .
I hope things are clear. In the next article, we are going to talk about lease. Stay tuned. Happy Reading !!