AWS Authentication
The AWS related commands need credentials in order to authenticate to AWS.
There are multiple ways to configure authentication, similar to how
aws
cli authentication is setup.
Credentials in environment
Set AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
variables in environment.
For example,
Note: If you are using temporary credentials using STS, AWS_SESSION_TOKEN
also needs to be set.
Refer: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
Named profile in credentials file
vault-radar
can read credentials from the AWS Credentials file, usually located at $HOME/.aws/config
.
By default, it looks for a profile with name default
. However any other profile in the credentials file can be
chosen by setting AWS_PROFILE
environment variable
EC2 Instance profile
When running vault-radar
on an AWS EC2 instance, we can assign an IAM role for the EC2 instance and grant it
access to the resource that needs to be scanned.
These credentials will be available to the code running on the instance through the Amazon EC2 metadata service.
Refer: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
ECS & EKS
It is also possible to run vault-radar
as a container in AWS ECS (Elastic Container Service) or AWS EKS (Elastic Kubernetes Service).
We need to create an IAM role with a policy granting the access to the resource that needs to be scanned as assign it appropriately.
For ECS, we need to assign the IAM role to the task.
For EKS, we need to create an IAM OIDC provider for the cluster and assign the role to a service account.
Refer: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html Refer: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html