Authentication: AWS
Use dsv config auth-provider search -e yaml
to see all of your current authentication providers.
Initially, the only authentication provider is Thycotic One, similar to this:
created: "2019-11-11T20:29:20Z"
createdBy: users:thy-one:admin@company.com
id: xxxxxxxxxxxxxxxxxxxx
lastModified: "2020-05-18T03:58:15Z"
lastModifiedBy: users:thy-one:admin@company.com
name: thy-one
properties:
baseUri: https://login.thycotic.com/
clientId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
clientSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
type: thycoticone
version: "0"
AWS Authentication Provider
To add an AWS account to act as an authentication provider:
dsv config auth-provider create --name <name> --type aws --aws-account-id <AWS account ID>
in which:
- name is the friendly name used in VP-DV to reference this provider.
- type is the authentication provider type; in this case, aws.
- the property flag for AWS is
--aws-account-id
then include the account ID
To view the resulting addition to the config file, you would use:
dsv config auth-provider <name> read -e yaml
where the example name we will use here is aws-dev
The readout would look similar to this:
created: "2019-11-12T18:34:49Z"
createdBy: users:thy-one:admin@company.com
id: xxxxxxxxxxxxxxxxxxxx
lastModified: "2020-05-18T03:58:15Z"
lastModifiedBy: users:thy-one:admin@company.com
name: aws-dev
properties:
accountId: "xxxxxxxxxxxx"
type: aws
version: "0"
AWS User Example
When you create a User in AWS, remember that the username serves as a friendly name within VP-DV. It does not have to match the Identity Access Management (IAM) username, but the provider must match the provider name previously configured.
dsv user create --username test-admin --external-id arn:aws:iam::xxxxxxxxxxx:user/test-admin --provider aws-dev
After creating the User, modify the config to give that User access to the default administrator permission policy.
Adding a user to the admin policy is not security best practices. This is for example purposes only. Ideally, you would create a separate policy for this AWS user with restricted access. For details on limiting access through policies, see the Policy section.
dsv config edit -e yaml
Add test-admin as a User subject to the Default Admin Policy. Third party accounts must be prefixed with the provider name; in this case, the fully qualified username would be aws-dev:test-admin.
<snip>
- actions:
- <.*>
conditions: {}
description: Default Admin Policy
effect: allow
id: xxxxxxxxxxxxxxxxxxxx
meta: null
resources:
- <.*>
subjects:
- users:<aws-dev:test-admin|admin@company.com>
<snip>
Next, on a machine with the AWS CLI installed and configured with an AWS IAM user, download the DVS CLI executable appropriate to the OS of the machine, and initialize the CLI:
dsv init
When prompted for the authorization type, choose AWS IAM (federated).
Please enter auth type:
(1) Password (local user)(default)
(2) Client Credential
(3) #{ThycoticOne}# (federated)
(4) AWS IAM (federated)
(5) Azure (federated)
(6) GCP (federated)
(7) OIDC (federated)
VP-DV will prompt for the specific AWS profile to use if you are authenticating using a non-default AWS profile.
Please enter aws profile for federated aws auth (optional, default:default)
Read an existing Secret to verify you can authenticate to VP-DV and access data.
dsv secret read --path <path to secret>
AWS Role Example
This example assumes that you:
- have your own CLI configured locally with an admin account
- created an IAM Role in the AWS Console
- launched an EC2 instance using the IAM Role
- downloaded the CLI onto the EC2 instance
Create a corresponding Role in VP-DV with the external-id of the IAM Role's ARN.
dsv role create --name test-role --external-id arn:aws:iam::xxxxxxxxxxx:role/testlogin --provider aws-dev
You should see a result similar to this:
{
"description": "",
"externalId": "arn:aws:iam::xxxxxxxxxxx:role/testlogin",
"name": "test-role",
"provider": "aws-dev"
}
Add the Role aws-dev:test-role to the Default Admin Policy in your vault config to grant the new Role admin access.
Adding a role to the admin policy is not security best practices. This is for example purposes only. Ideally, you would create a separate policy for this AWS role with restricted access. For details on limiting access through policies, see the Policy section.
Use the command dsv config edit -e yaml
<snip>
- actions:
- <.*>
conditions: {}
description: Default Admin Policy
effect: allow
id: bgn8gjei66jc7148d9i0
meta: null
resources:
- <.*>
subjects:
- users:<aws-dev:test-admin|admin@company.com>
- roles:<aws-dev:test-role>
<snip>
On the EC2 instance, configure the CLI by running dsv init
and choosing AWS IAM as the authentication type.
Once configured, ensure you can read an existing Secret to verify the EC2 instance is able to authenticate and access data.
dsv secret read --path <path to secret>