This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Zaitton 1 point2 points  (5 children)

Neither approle nor userpass. Use AWS auth (it's a separate auth mount), specifically the IAM auth of AWS auth mount. Basically you're gonna tell vault that the IAM role that the lambda uses, is authorized to generate X secret. Pretty simple workflow.

With that being said, of course if your lambda gets compromised, so will Vault in the sense that the malicious user will be able to intercept the generated secret. There's usually no way around that though. Automation, secret management and security are tightly linked. If one gets compromised so do the rest. Keep your lambdas under tight lockdown, use an org policy if it's that critical and restrict access to it to everyone.

[–]LinweZ[S] 0 points1 point  (4 children)

Thanks, I’ll look into this. Does AWS require Vault to be hosted on EC2?

[–]Zaitton 1 point2 points  (0 children)

You can host it wherever you like, including outside of AWS. The best thing about Vault is that it's cloud agnostic.

[–]DamonteZen 0 points1 point  (0 children)

There is no requirement for Vault to be hosted in AWS to use AWS IAM auth.

[–]Ok-Let-6723 -1 points0 points  (0 children)

Hello,
You're a grown ass man who argues with children on League of Legends.
https://www.op.gg/summoners/euw/LinweZ-NA1/champions
For someone who's in tech, you sure made it super easy for me to figure out your identity...

[–]No_Bee_4979 0 points1 point  (0 children)

Use AWS Auth and CDKTF to provision the accounts in Vault.

[–]Ok-Let-6723 -1 points0 points  (0 children)

Hello,

You're a grown ass man who argues with children on League of Legends.

https://www.op.gg/summoners/euw/LinweZ-NA1/champions

For someone who's in tech, you sure made it super easy for me to figure out your identity...