Overview
- Generates dynamic secrets granting access to AWS resources
- AWS role configured in Vault—when valling Secrets Engine, a new IAM user is created, with role bound to that user
- Caller is given key pair to access AWS as that user
- Can revoke key via Vault
Usage
- Create role:
- Secrets engine creates IAM user
- Role is attached to user—defines permissions user has
- Generate secret
- Each run causes Vault to connect to AWS and generate a new IAM user (with role defined above) and key pair