The aomi tool is able to write to the AWS backend of Vault.
By specifying an appropriately populated
aws_file you can create AWS secret backends in Vault. The
aws_file must point to a valid file, and the base of the AWS credentials will be set by the
The AWS file contains the
region, and a list of AWS roles that will be loaded by Vault are in the
Secretfile. Note that you may specify either an inline
policy or a native AWS
name of each role will be used to compute the final path for accessing credentials. The policy files are simply JSON IAM Access representations. The following example would create an AWS Vault secret backend at
foo/bar/baz based on the account and policy information defined in
lease_max are provided in this example, they are not strictly required. Note that you can also specify a
state as either
present (the default) or
Note that a previous version had
region, and the
roles section located in the
aws_file itself - this behavior is now considered deprecated. The only thing which should be present in the AWS yaml is the actual secrets.
secrets: - aws_file: 'aws.yml' mount: 'foo/bar/baz' lease: "1800s" lease_max: "86400s" region: "us-east-1" roles: - name: default policy: "policy.json" - name: "root" arn: "arn:aws:iam::aws:policy/AdministratorAccess"
access_key_id: "REDACTED" secret_access_key: "REDACTED"