Support AWS IAM Roles Anywhere for AWS Secrets Engine

[omelnyk1]

Is your feature request related to a problem? Please describe. Recently Amazon introduces IAM Roles Anywhere for workloads outside of AWS. It could solve the problem, when we have Hashicorp Vault deployed on-prem with AWS secrets engine and make authentication using certificates (we have our own internal PKI) instead of generating static credentials (access and secret keys).

Describe the solution you'd like According to documentation (step 2) in https://www.vaultproject.io/docs/secrets/aws#setup we should generate and provide the IAM credentials (access and secret keys). It would be nice to have alternative option to use certificates. Please find an example of getting credentials described here.

Describe alternatives you've considered Use aws_signing_helper to get credentials on host: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

[jpoley]

It would also help if Vault were deployed in another cloud as well, being able to give out STS temp credentials in a secure way (across clouds) without needing static AWS Keys.

[andreluiznsilva]

That's my case. We have vault deployed on Azure. The only way to use it to generate AWS tokens would be providing a static user credentials with enough permission to assume roles and generate the temporary credentials, but create static users are prohibited by company policies. IAM Roles Anywhere could solve this problem as only a certificate would be needed to be stored