Vaultx.Secrets.AWS.Credentials (Vaultx v0.7.0)

AWS credential generation and management for HashiCorp Vault AWS secrets engine.

This module provides comprehensive credential generation functionality for AWS secrets engine, supporting all credential types including IAM users, assumed roles, federation tokens, and session tokens. It implements enterprise-grade security practices and follows AWS best practices for credential management.

Credential Generation Capabilities

Dynamic Credential Types

IAM User Credentials: Temporary IAM users with attached policies
Assumed Role Credentials: STS credentials via role assumption
Federation Token Credentials: Federated user credentials with policies
Session Token Credentials: Temporary session tokens with MFA support

Static Credential Management

Static Role Credentials: Managed credentials for existing IAM users
Automatic Rotation: Configurable rotation periods
Cross-Account Access: Credentials across AWS accounts

Security Features

Least Privilege Access: Minimal required permissions
Time-Limited Credentials: Configurable TTL for all credential types
MFA Support: Multi-factor authentication for session tokens
Audit Trail: Complete credential generation logging
Policy Enforcement: Strict policy validation and application

API Compliance

Fully implements HashiCorp Vault AWS credential generation:

Usage Examples

# Generate dynamic credentials
{:ok, creds} = Credentials.generate("my-role", mount_path: "aws")

# Generate credentials with custom TTL
{:ok, creds} = Credentials.generate("my-role", ttl: "1h", mount_path: "aws")

# Generate assumed role credentials
{:ok, creds} = Credentials.generate("my-role",
  role_arn: "arn:aws:iam::123456789012:role/MyRole",
  role_session_name: "vault-session"
)

# Get static credentials
{:ok, static_creds} = Credentials.get_static("my-static-role")

Configuration

config :vaultx, :aws,
  mount_path: "aws",
  default_ttl: "1h",
  max_ttl: "24h"

Summary

Types

generate_opts()

Credential generation options.

Functions

generate(role_name, opts \\ [])

Generate dynamic credentials for the specified role.

get_static(role_name, opts \\ [])

Get static credentials for the specified static role.

Types

generate_opts()

@type generate_opts() :: [
  mount_path: String.t(),
  role_arn: String.t(),
  role_session_name: String.t(),
  ttl: String.t(),
  mfa_code: String.t(),
  timeout: pos_integer(),
  retry_attempts: non_neg_integer()
]

Credential generation options.

Functions

generate(role_name, opts \\ [])

@spec generate(String.t(), generate_opts()) ::
  {:ok, Vaultx.Secrets.AWS.Behaviour.credentials_result()}
  | {:error, Vaultx.Base.Error.t()}

Generate dynamic credentials for the specified role.

This function generates AWS credentials based on the role configuration. The type of credentials generated depends on the role's credential_type:

iam_user: Creates temporary IAM user with attached policies
assumed_role: Generates STS credentials by assuming specified role
federation_token: Creates federated user credentials
session_token: Generates temporary session tokens

Parameters

role_name - Name of the configured role
opts - Generation options (see generate_opts/0)

Returns

{:ok, credentials} - Successfully generated credentials
{:error, error} - Generation failed

Examples

# Basic credential generation
{:ok, creds} = Credentials.generate("my-role")
%{
  access_key: "AKIA...",
  secret_key: "...",
  session_token: nil,
  arn: "arn:aws:iam::123456789012:user/vault-user-...",
  expiration: nil
}

# Assumed role with custom session name
{:ok, creds} = Credentials.generate("assume-role",
  role_arn: "arn:aws:iam::123456789012:role/MyRole",
  role_session_name: "my-session",
  ttl: "2h"
)

get_static(role_name, opts \\ [])

@spec get_static(String.t(), Keyword.t()) ::
  {:ok, Vaultx.Secrets.AWS.Behaviour.credentials_result()}
  | {:error, Vaultx.Base.Error.t()}

Get static credentials for the specified static role.

Static roles provide managed credentials for existing IAM users with automatic rotation capabilities.

Parameters

role_name - Name of the configured static role
opts - Request options

Returns

{:ok, credentials} - Current static credentials
{:error, error} - Request failed

Examples

{:ok, creds} = Credentials.get_static("my-static-role")
%{
  access_key: "AKIA...",
  secret_key: "...",
  expiration: "2025-08-30T23:59:59Z"
}