AWS automatic secret rotation

Plus tier

This feature is available in HCP Vault Secrets Plus tier.

HCP Vault Secrets allows you to create access keys for an existing AWS IAM user and automatically rotate them on a scheduled interval.

Prerequisites

Ability to create AWS IAM identity providers, users, and roles
Your AWS principal may use the managed IAMFullAccess policy or a custom policy for authorization
Ability to create HCP Vault Secrets integrations, apps, and secrets

Set up AWS

HCP Vault Secrets is able to authenticate with your AWS account using two different methods. Each method requires AWS resources to provision auto-rotating credentials:

OpenID Connect (OIDC) Federation (Recommended)
- IAM OIDC identity provider
- IAM role that HCP can assume through its web identity
- IAM role with the permissions to grant to the generated dynamic credentials
Access Keys
- IAM user with an access key pair
- IAM role with the permissions to grant to the generated dynamic credentials

Configure your AWS account using either the AWS console or Terraform.

Add identity provider

Navigate to the Add an Identity provider section in the AWS IAM service.
Select the OpenID connect provider type.
Use https://idp.hashicorp.com/oidc/organization/<org-id> as the provider URL, replacing the placeholder with your HCP organization ID.
Use arn:aws:iam::<account-id>:oidc-provider/idp.hashicorp.com/oidc/organization/<org-id> as the audience, replacing the placeholders with your AWS account ID and HCP organization ID.
Note
You can navigate to the AWS integration creation page on the HCP portal and select AWS STS credentials from the list to easily find the appropriate Provider URL and org ID.
Click Add provider.
Select the identity provider you just created and note its ARN and Audience for the next steps.

The Terraform AWS provider can be used to provision the necessary resources.

Follow the Terraform documentation to authenticate the AWS provider.

Use your preferred text editor and create a Terraform configuration file with the following snippet:

provider "aws" {}

variable "organization_id" {
  type        = string
  description = "Your HCP organization ID."
}

variable "project_id" {
  type        = string
  description = "Your HCP project ID."
}

variable "integration_name" {
  type        = string
  description = "Your AWS integration name. Must match the name of the AWS integration you'll eventually create in HCP Vault Secrets."
}

data "aws_caller_identity" "current" {}

locals {
  account_id = data.aws_caller_identity.current.account_id
  issuer     = "idp.hashicorp.com/oidc/organization/${var.organization_id}"
  audience   = "arn:aws:iam::${local.account_id}:oidc-provider/${local.issuer}"
  subject    = "project:${var.project_id}:geo:us:service:vault-secrets:type:integration:name:${var.integration_name}"
}

resource "aws_iam_openid_connect_provider" "hcp_vault_secrets" {
  url             = "https://${local.issuer}"
  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
  client_id_list  = [local.audience]
}

data "aws_iam_policy" "iam_full_access_policy" {
  name = "IAMFullAccess"
}

resource "aws_iam_role" "integration_role" {
  name = "hcp-vault-secrets-integration"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRoleWithWebIdentity"
        Effect = "Allow"
        Principal = {
          Federated = aws_iam_openid_connect_provider.hcp_vault_secrets.arn
        }
        Condition = {
          StringEquals = {
            "${local.issuer}:sub" = local.subject
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "integration_role_policy_attachment" {
  role       = aws_iam_role.integration_role.name
  policy_arn = data.aws_iam_policy.iam_full_access_policy.arn
}

output "integration_name" {
  value = var.integration_name
}

output "audience" {
  value = local.audience
}

output "integration_role_arn" {
  value = aws_iam_role.integration_role.arn
}

output "dynamic_secret_role_arn" {
  value = aws_iam_role.dynamic_secret_role.arn
}

Initialize Terraform.

$ terraform init

This will prepare a working directory:

...snip...

Terraform has been successfully initialized!

Generate your AWS IAM configuration with the apply command:

$ terraform apply

Review the actions Terraform is about to perform and say yes to accept the plan:

...snip...

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
+ integration_role_arn    = (known after apply)

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

Keep the Terraform outputs on hand for the next steps:

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

audience = "arn:aws:iam::<account-id>:oidc-provider/idp.hashicorp.com/oidc/organization/<org-id>"
integration_name = "<integration-name>"
integration_role_arn = "arn:aws:iam::<account-id>:role/hcp-vault-secrets-integration"

Create IAM user/role for integration

Create IAM role for integration

Navigate to the Create Role section in the AWS IAM service.
Select the Web Identity trust entity type.
Select the Identity provider and Audience created in the previous step from the dropdown and click Next.
This role needs IAMFullAccess, select and click Next.
Give the role a name and optionally a description and tags, then click Create role.
Select the role you just created and note its ARN for the next steps.
Warning
Be cautious with the AWS access key and secret access key while they are in transit to HCP Vault Secrets. These credentials provide access to your AWS account and and do not automatically expire.

Create IAM user for integration

Navigate to the Create User section in the AWS IAM service.
Give the user a name, click Next.
This role needs IAMFullAccess, select and click Next.
Add optional tags and click Create user.
Select the user you just created and note its ARN for the next steps.
Click the Security credentials for your new user
Click Create access key
Select the Third-party service option, check the confirmation box, and click Next
Add optional tags and click Create access key.
Take note of the Access key and Secret access key for the next steps.

Create a target AWS User

Go to the IAM Users and click Create User.
Enter the username you want IAM access keys for and click Next.
This user does not need any permissions, click Next.
Click Create User, this is the username Vault Secrets will use for creating a rotating secret.

Configure a rotating secret

Navigate to the Vault Secrets app panel and select an app where you want to create a rotating secret.
Click Create new secret and select Auto-rotating secret.
Select the AWS option from the pull down menu.
Select an existing integration or select Add new integration.
Select an Authentication method and follow the appropriate steps below.

Add a new rotating secret

Provide a new Secret Name for this secret.
Enter the username of the IAM user created in the previous section.

Rotation period

There are at most 2 active versions of an auto-rotating AWS credential at a time. In order to ensure that applications are consuming active secrets, it is recommended that applications fetch the latest secret at least once per rotation period.

If an application has multiple rotating secrets, the minimum frequency for fetching the latest secrets should be the minimum of the rotation periods of the auto-rotating secrets.

Note

If an auto-rotating secret is manually rotated, it is recommended that any applications consuming the secret should fetch the latest version.