aws-secrets-engine
devops-rob/aws-secrets-engine/vault
A Terraform module to enable and configure the AWS secrets engine in HashiCorp Vault.
Terraform Module: AWS Secrets Engine A Terraform module to enable and configure the AWS secrets engine in HashiCorp Vault. AWS requirements Vault will require an aws account is required with programmatic access. This account should have the ability to create, list, delete AWS accounts. For this example, Vault will also require an IAM group to place provisioned accounts. The permissions assigned to this group will depend on what actions the provisioned accounts need to perform. For more information about AWS Groups and permissions, refer to the following resources: - AWS Groups best practices - AWS Permissions best practices Usage example ``hcl provider "vault" { address = "http://localhost:8200" token = var.vault_token } variable "vault_token" {} variable "aws_access_key" {} variable "aws_
| Name | Type | Description | Default |
|---|---|---|---|
| aws_sts_max_ttl | number | The max allowed TTL in seconds for STS credentials (credentials TTL are capped t | |
| aws_secret_key | string | Secret key for AWS account. WARNING - this will be written to the state file in | |
| aws_region | string | AWS region. Can also be set with the AWS_DEFAULT_REGION environment variable | |
| aws_backend_role_name | string | Name for AWS backend role | |
| aws_policy_arns | list(string) | List of AWS managed policy ARNs. The behavior depends on the credential type. Wi | |
| aws_iam_groups | list(string) | A list of IAM group names. IAM users generated against this vault role will be a | |
| aws_access_key | string | Access key for AWS account. WARNING - this will be written to the state file in | |
| aws_role_arns | list(string) | List of ARNs of the AWS roles this Vault role is allowed to assume. Required whe | |
| aws_policy_document | string | The IAM policy document for the role. The behavior depends on the credential typ | |
| aws_sts_default_ttl | number | The default TTL in seconds for STS credentials. Valid only when credential_type | |
| aws_max_lease | number | Maximum lease for aws secrets engine. NOTE - This overrides the generic default | 3600 |
| aws_default_lease | number | Default lease for aws secrets engine backend. NOTE - This overrides the generic | 3600 |
| aws_backend_role_cred_type | string | type of credential to be used when retrieving credentials from the role. | "iam_user" |