This is a port of Kelsey Hightower vault-init to AWS.
The vault-init
service automates the process of initializing and unsealing HashiCorp Vault instances running on Amazon Web Services.
After vault-init
initializes a Vault server it stores master keys and root tokens, encrypted using AWS Key Management Service, to a user defined Amazon S3 bucket.
The vault-init
service is designed to be run alongside a Vault server and communicate over local host.
Run vault-init
in the same Pod as the Vault container. See the vault statefulset for a complete example.
The vault-init service supports the following environment variables for configuration:
CHECK_INTERVAL
- The time in seconds between Vault health checks. (300)S3_BUCKET_NAME
- The Amazon S3 Bucket where the vault master key and root token is stored.KMS_KEY_ID
- The Amazon KMS key ID used to encrypt and decrypt the vault master key and root token.VAULT_ADDR
- The vault API address.
CHECK_INTERVAL="300"
S3_BUCKET_NAME="vault-storage"
KMS_KEY_ID="arn:aws:kms:us-east-1:1234567819:key/dead-beef-dead-beef-deadbeefdead"
VAULT_ADDR="https://vault.service.consul:8200"
The vault-init
service needs the following set of resources:
- S3 Bucket
- IAM Role Instance Profile
- KMS Key
Here's a minimal example which creates an instance profile that can use a KMS key and read/write to a private S3 bucket.
resource "aws_iam_role" "vault" {
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"},
"Effect": "Allow"
}
]
}
EOF
}
# use the current caller's ARN as the KMS key administrator
data "aws_caller_identity" "current" {}
resource "aws_kms_key" "vault" {
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "vault-key-policy",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "${data.aws_caller_identity.current.arn}"},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {"AWS": "${aws_iam_role.vault.arn}"},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_kms_alias" "vault" {
name = "alias/my-vault-key"
target_key_id = "${aws_kms_key.vault.key_id}"
}
resource "aws_s3_bucket" "vault" {
acl = "private"
}
resource "aws_iam_role_policy" "vault" {
role = "${aws_iam_role.vault.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "${aws_kms_alias.vault.arn}"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "${aws_s3_bucket.vault.arn}"
},
{
"Action": ["s3:GetObject", "s3:PutObject"],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.vault.arn}/*"
}
]
}
EOF
}
resource "aws_iam_instance_profile" "vault" {
role = "${aws_iam_role.vault.name}"
}