Dynamically Generated AWS Credentials

This module uses the AWS secrets engine of the Vault instance in the Kubernetes cluster to provision an IAM User and associated credentials. The credentials are periodically rotated based on credential_lifetime_hours, but no other security controls are applied (unlike kube_sa_auth_aws).

This module should only be used when kube_sa_auth_aws is not suitable. The credentials provisioned by this module offers far less security than IRSA, but occasionally you may need credentials that are not session-based.

Some valid use cases for this module:

You are using a client that does not support IRSA (unlikely, all modern AWS clients do).
You need SMTP credentials for AWS SES.
You need to provide long-lived credentials to provide some third-party service.

Usage

This module will create an IAM user. The user will receive the permissions provided by iam_policy_json (for inline permissions) or iam_policy_arns (for attaching existing IAM policies). Both can be specified.

The generated credentials are stored in the secret defined by the creds_secret output and are rotated every credential_lifetime_hours / 2.

This secret will contain two values:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

As an example:

data "aws_iam_policy_document" "permissions" {
   statement {
      ...
   }
}

module "user" {
  source = "${var.pf_module_source}kube_aws_creds${var.pf_module_ref}"
  ...
      
  iam_policy_json  = data.aws_iam_policy_document.permissions.json
  namespace        = var.namespace
}

module "deployment" {
  source = "${var.pf_module_source}kube_deployment${var.pf_module_ref}"
  ...
      
  namespace = local.namespace
  common_env_from_secrets = {
    AWS_ACCESS_KEY_ID = {
      secret_name = module.user.creds_secret
      key = "AWS_ACCESS_KEY_ID"
    }
    AWS_SECRET_ACCESS_KEY = {
      secret_name = module.user.creds_secret
      key = "AWS_SECRET_ACCESS_KEY"
    }
  }
}

Providers

The following providers are needed by this module:

aws (5.80.0)
kubectl (2.1.3)
kubernetes (2.34.0)
pf (0.0.7)
random (3.6.3)
vault (4.5.0)

Required Inputs

The following input variables are required:

namespace

Description: The namespace that the Kubernetes Secret containing the user credentials will be provisioned within.

Type: string

Optional Inputs

The following input variables are optional (have default values):

credential_lifetime_hours

Description: The number of hours that provisioned credentials last before they are rotated.

Type: number

Default: 16

iam_policy_arns

Description: ARNs of IAM policies to attach to the generated user.

Type: list(string)

Default: []

iam_policy_json

Description: An IAM policy document in rendered JSON string form.

Type: string

Default: null

Outputs

The following outputs are exported:

creds_secret

Description: The name of the Kubernetes Secret holding credentials for the IAM user

Maintainer Notes

No notes.