Vaultx.Secrets.AWS (Vaultx v0.7.0)

View Source

Unified AWS secrets engine interface for HashiCorp Vault.

This module provides a comprehensive, enterprise-grade interface for the AWS secrets engine, offering dynamic and static credential management, configuration operations, and role management. It supports all AWS credential types with advanced security features and compliance capabilities.

Enterprise AWS Credential Management

  • Dynamic Credential Generation: IAM users, assumed roles, federation tokens, session tokens
  • Static Credential Management: Managed IAM user credentials with rotation
  • Configuration Management: Root credentials, lease settings, and rotation policies
  • Role Management: Dynamic and static role configuration with policy enforcement
  • Cross-Account Support: Multi-account AWS credential management
  • Security Compliance: Audit logging, least privilege, and policy validation

Supported Credential Types

Dynamic Credentials

  • IAM User: Temporary IAM users with attached policies and groups
  • Assumed Role: STS credentials via role assumption with session management
  • Federation Token: Federated user credentials with policy filtering
  • Session Token: Temporary session tokens with MFA support

Static Credentials

  • Static Roles: 1-to-1 mapping with existing IAM users
  • Automatic Rotation: Configurable rotation periods and policies
  • Cross-Account: Assume roles in target accounts for credential management

Configuration Examples

# Configure root AWS credentials
config = %{
  access_key: "AKIA...",
  secret_key: "...",
  region: "us-east-1"
}
{:ok, _} = AWS.configure_root(config)

# Create a dynamic role for assumed role credentials
role_config = %{
  credential_type: "assumed_role",
  role_arns: ["arn:aws:iam::123456789012:role/MyRole"],
  default_sts_ttl: "1h",
  max_sts_ttl: "12h"
}
{:ok, _} = AWS.create_role("my-role", role_config)

# Generate credentials
{:ok, creds} = AWS.generate_credentials("my-role")

API Compliance

Fully implements HashiCorp Vault AWS secrets engine:

Summary

Functions

configure_lease(config, opts \\ [])

Configure lease settings for the AWS secrets engine.

configure_root(config, opts \\ [])

Configure root AWS credentials for the secrets engine.

create_role(name, config, opts \\ [])

Create or update a dynamic role.

create_static_role(name, config, opts \\ [])

Create or update a static role.

delete_role(name, opts \\ [])

Delete a dynamic role.

delete_static_role(name, opts \\ [])

Delete a static role.

generate_credentials(name, opts \\ [])

Generate credentials for a dynamic role.

get_static_credentials(name, opts \\ [])

Get static credentials for a static role.

list_roles(opts \\ [])

List all configured dynamic roles.

list_static_roles(opts \\ [])

List all configured static roles.

read_lease_config(opts \\ [])

Read the current lease configuration.

read_role(name, opts \\ [])

Read a dynamic role configuration.

read_root_config(opts \\ [])

Read the current root configuration.

read_static_role(name, opts \\ [])

Read a static role configuration.

rotate_root(opts \\ [])

Rotate the root AWS credentials.

Functions

configure_lease(config, opts \\ [])

Configure lease settings for the AWS secrets engine.

Sets the default lease duration and maximum lease duration for generated credentials.

Parameters

  • config - Lease configuration with :lease and :lease_max
  • opts - Request options

Examples

config = %{
  lease: "30m",
  lease_max: "12h"
}
{:ok, _} = AWS.configure_lease(config)

configure_root(config, opts \\ [])

Configure root AWS credentials for the secrets engine.

Sets up the AWS access credentials that Vault will use to manage AWS resources. Supports both static credentials and Plugin Workload Identity Federation (WIF) for enhanced security.

Parameters

  • config - Root configuration parameters
  • opts - Request options including mount path

Examples

# Static credentials
config = %{
  access_key: "AKIA...",
  secret_key: "...",
  region: "us-east-1",
  max_retries: 3
}
{:ok, _} = AWS.configure_root(config)

# With custom endpoints
config = %{
  access_key: "AKIA...",
  secret_key: "...",
  region: "us-gov-west-1",
  iam_endpoint: "https://iam.us-gov.amazonaws.com",
  sts_endpoint: "https://sts.us-gov-west-1.amazonaws.com"
}

create_role(name, config, opts \\ [])

Create or update a dynamic role.

Configures a role that can be used to generate AWS credentials. The role defines the type of credentials to generate and the associated policies and constraints.

Parameters

  • name - Role name
  • config - Role configuration
  • opts - Request options

Examples

# IAM User role
config = %{
  credential_type: "iam_user",
  policy_document: "{"Version": "2012-10-17", ...}",
  iam_groups: ["developers"]
}
{:ok, _} = AWS.create_role("dev-role", config)

# Assumed Role
config = %{
  credential_type: "assumed_role",
  role_arns: ["arn:aws:iam::123456789012:role/MyRole"],
  default_sts_ttl: "1h",
  max_sts_ttl: "12h"
}
{:ok, _} = AWS.create_role("assume-role", config)

create_static_role(name, config, opts \\ [])

Create or update a static role.

Static roles provide 1-to-1 mapping with existing IAM users and enable automatic credential rotation.

Parameters

  • name - Static role name
  • config - Static role configuration
  • opts - Request options

Examples

config = %{
  username: "existing-iam-user",
  rotation_period: "24h"
}
{:ok, result} = AWS.create_static_role("my-static-role", config)

delete_role(name, opts \\ [])

Delete a dynamic role.

Examples

:ok = AWS.delete_role("old-role")

delete_static_role(name, opts \\ [])

Delete a static role.

Examples

:ok = AWS.delete_static_role("old-static-role")

generate_credentials(name, opts \\ [])

Generate credentials for a dynamic role.

Delegates to the Credentials module for actual credential generation.

Examples

{:ok, creds} = AWS.generate_credentials("my-role")
%{
  access_key: "AKIA...",
  secret_key: "...",
  session_token: nil,
  arn: "arn:aws:iam::123456789012:user/vault-user-...",
  expiration: nil
}

get_static_credentials(name, opts \\ [])

Get static credentials for a static role.

Delegates to the Credentials module for actual credential retrieval.

Examples

{:ok, creds} = AWS.get_static_credentials("my-static-role")
%{
  access_key: "AKIA...",
  secret_key: "...",
  expiration: "2025-08-30T23:59:59Z"
}

list_roles(opts \\ [])

List all configured dynamic roles.

Examples

{:ok, roles} = AWS.list_roles()
["dev-role", "prod-role", "assume-role"]

list_static_roles(opts \\ [])

List all configured static roles.

Examples

{:ok, roles} = AWS.list_static_roles()
["static-role-1", "static-role-2"]

read_lease_config(opts \\ [])

Read the current lease configuration.

Examples

{:ok, config} = AWS.read_lease_config()
%{
  lease: "30m0s",
  lease_max: "12h0m0s"
}

read_role(name, opts \\ [])

Read a dynamic role configuration.

Examples

{:ok, config} = AWS.read_role("my-role")
%{
  credential_type: "assumed_role",
  role_arns: ["arn:aws:iam::123456789012:role/MyRole"],
  policy_arns: [],
  iam_groups: []
}

read_root_config(opts \\ [])

Read the current root configuration.

Returns the non-sensitive parts of the root configuration. The secret_key is never returned for security reasons.

Examples

{:ok, config} = AWS.read_root_config()
%{
  "access_key" => "AKIA...",
  "region" => "us-east-1",
  "max_retries" => -1
}

read_static_role(name, opts \\ [])

Read a static role configuration.

Examples

{:ok, config} = AWS.read_static_role("my-static-role")
%{
  username: "existing-iam-user",
  rotation_period: "24h"
}

rotate_root(opts \\ [])

Rotate the root AWS credentials.

Generates a new access key for the IAM user and updates Vault's configuration to use the new credentials. The old access key is automatically deleted.

Examples

{:ok, result} = AWS.rotate_root()
%{"access_key" => "AKIA..."}