robertlabrie
commented
6 years ago @jasonmcintosh you can work around it using vault_mount but then you can't set other cool things like the lease.
Open jasonmcintosh opened 6 years ago
robertlabrie
commented
6 years ago @jasonmcintosh you can work around it using vault_mount but then you can't set other cool things like the lease.
jasonmcintosh
commented
6 years ago We've more and more had to use the vault_generic_secret as it lets you pass arbitrary JSON to any given path. It's not ideal, but works better than many of the other options.
proffalken
commented
5 years ago Is it not possible to just remove the requirements on these variables and update the documentation so that it states you need to set them if you're not using IAM Instance Roles/Profiles?
AIUI, AWS "best practice" is to use IAM instance roles/profiles as opposed to dedicated credentials, so this appears to be at odds with that approach.
kruttik-lab49
commented
5 years ago I just faced the same issue and for some reason I tried this-
resource "vault_aws_secret_backend" "aws-sts" {
access_key = ""
secret_key = ""
}Guess what. It worked. It picked up the IAM instance role. Here's the versions-
terraform -v
Terraform v0.11.14
provider "vault" {
version = "~> 2.1"
}@kruttik-lab49 coming back to this, can you share some of the other parts of your code please?
I can get the AWS plugin to initialise without passing the creds, but I can't get the IAM auth to actually issue new creds.
Trying to setup a new backend fails unless you specify a specific user access/secret key:
However, you can ignore this and use IAM instance profiles
vault secrets enable aws -path aws/prod/myaccountif you go against vault directly.