Auth
Logs into a Vault server using an AWS auth backend. Login can be accomplished using a signed identity request from IAM or using ec2 instance metadata. For more information, see the [Vault
documentation](https://www.vaultproject.io/docs/auth/aws.html).
Example Usage
resources:
aws:
type: vault:AuthBackend
properties:
type: aws
path: aws
example:
type: vault:aws:AuthBackendClient
properties:
backend: ${aws.path}
accessKey: '123456789012'
secretKey: AWSSECRETKEYGOESHERE
exampleAuthBackendRole:
type: vault:aws:AuthBackendRole
name: example
properties:
backend: ${aws.path}
role: test-role
authType: ec2
boundAmiId: ami-8c1be5f6
boundAccountId: '123456789012'
boundVpcId: vpc-b61106d4
boundSubnetId: vpc-133128f1
boundIamInstanceProfileArns:
- arn:aws:iam::123456789012:instance-profile/MyProfile
ttl: 60
maxTtl: 120
tokenPolicies:
- default
- dev
- prod
options:
dependsOn:
- ${example}
exampleAuthBackendLogin:
type: vault:aws:AuthBackendLogin
name: example
properties:
backend: ${exampleVaultAuthBackend.path}
role: ${exampleAuthBackendRole.role}
identity: BASE64ENCODEDIDENTITYDOCUMENT
signature: BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATUREConstructors
Properties
The HTTP method used in the signed IAM request.
The base64-encoded body of the signed request.
The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.
The base64-encoded HTTP URL used in the signed request.
The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce.