HashiCorp Cloud Platform
AWS automatic secret rotation
HCP Vault Secrets allows you to create access keys for an existing AWS IAM user and automatically rotate them on a scheduled interval.
Prerequisites
- Ability to create AWS IAM identity providers, users, and roles
- Your AWS principal may use the managed IAMFullAccess policy or a custom policy for authorization
- Ability to create HCP Vault Secrets integrations, apps, and secrets
Set up AWS
HCP Vault Secrets is able to authenticate with your AWS account using two different methods. Each method requires AWS resources to provision auto-rotating credentials:
- OpenID Connect (OIDC) Federation (Recommended)
- IAM OIDC identity provider
- IAM role that HCP can assume through its web identity
- IAM role with the permissions to grant to the generated dynamic credentials
- Access Keys
- IAM user with an access key pair
- IAM role with the permissions to grant to the generated dynamic credentials
Configure your AWS account using either the AWS console or Terraform.
Add identity provider
Navigate to the Add an Identity provider section in the AWS IAM service.
Select the OpenID connect provider type.
Use
https://idp.hashicorp.com/oidc/organization/<org-id>
as the provider URL, replacing the placeholder with your HCP organization ID.Use
arn:aws:iam::<account-id>:oidc-provider/idp.hashicorp.com/oidc/organization/<org-id>
as the audience, replacing the placeholders with your AWS account ID and HCP organization ID.Note
You can navigate to the AWS integration creation page on the HCP portal and select AWS STS credentials from the list to easily find the appropriate Provider URL and org ID.
Click Add provider.
Select the identity provider you just created and note its ARN and Audience for the next steps.
Create IAM role for integration
Navigate to the Create Role section in the AWS IAM service.
Select the Web Identity trust entity type.
Select the Identity provider and Audience created in the previous step from the dropdown and click Next.
This role needs IAMFullAccess, select and click Next.
Give the role a name and optionally a description and tags, then click Create role.
Select the role you just created and note its ARN for the next steps.