Closed ebarrett-Ocient closed 3 months ago
Hi @ebarrett-Ocient
If I'm not forgetting, this is by design. From the documentation there is a note that reads
Vault will create a new credential upon configuration, and if the maximum number of access keys already exist, Vault will rotate the oldest one. Vault must do this to know the credential.
The maximum number of keys for an IAM User is actually 2, so Vault's first creates a second key on the static account user. On the next rotation, it then does what you quoted by rotating the key of the oldest credential which will be your first one.
@robmonte
I don't believe what I'm observing conflicts with the documentation. Per the documentation you quoted, upon configuration of a static role, Vault will rotate the oldest key upon configuration if it exists. In the scenario I'm describing, no IAM keys exist when the static role is configured so Vault creates one. Upon the expiration of the rotation period, rather than rotate the key it created, it creates a brand new one. Then, once the rotation period expires again, it rotates that original key.
If this is intentional, then I believe the documentation should be updated to better reflect this. Regardless of whether it's intentional or not, I believe it would be more valuable if Vault only ever maintained a single access key.
@ebarrett-Ocient I think it is intentional, yeah. I believe the language is meant to imply "Vault will rotate the oldest access key only if the maximum number of keys already exist", meaning it will create new ones until the maximum is reached, whether starting with zero or one already.
I agree the wording on the documentation could make this more clear, thanks for the suggestion. I'll double-check my understanding with my team before committing to rewording that section.
Describe the bug When managing an AWS IAM user's credentials using static roles, if a single access key exists and the rotation period expires, Vault will create a second key rather than rotate the existing key. At a minimum, this conflicts with Vault documentation that reads:
Ideally, we should be able to maintain a single key with Vault. We have security requirements that specify keys must be rotated after X days. Essentially, the configured
rotation_period
would need to be X/2 in order for us to meet this requirement. Otherwise, the oldest key will not be rotated until twice the configuredrotation_period
has passed.To Reproduce Steps to reproduce the behavior:
my-test-user
. Ensure no access keys exist.vault write aws/static-roles/test username=my-test-user rotation_period=300
my-test-user
has been created.Expected behavior Only a single access key should exist.
Environment:
vault status
): 1.16.1vault version
): 1.15.4