vault-aws-provider is an implementation for AWS Credentials Provider using Vault to fetch credentials.
- Custom auth methods via vault.AuthMethod
- Callback on retrieve
- Token authentication
- Renew token when retrieving credentials
import (
...
awscfg "github.com/aws/aws-sdk-go-v2/config"
vaultp "github.com/nicolascb/vault-aws-provider"
)
...
endpoint := "aws/sts/my-secret"
token := "my_vault_auth_token"
provider, err := vaultp.NewProvider(context.TODO(), endpoint, vaultp.WithVaultToken(token))
...
// can now use when initializing config
c, err := awscfg.LoadDefaultConfig(context.TODO(), awscfg.WithCredentialsProvider(provider))
...You can use any authentication method that implements vault.AuthMethod , such as the methods provided by the vault sdk.
Authentication example with Kubernetes:
import (
...
awscfg "github.com/aws/aws-sdk-go-v2/config"
vaultp "github.com/nicolascb/vault-aws-provider"
auth "github.com/hashicorp/vault/api/auth/kubernetes"
)
func main() {
endpoint := "aws/sts/my-secret"
kubeAuth, err := auth.NewKubernetesAuth(
role,
auth.WithServiceAccountTokenPath(tokenPath),
)
// initialize provider
provider, err := vaultp.NewProvider(
context.TODO(),
endpoint,
vaultp.WithAuthMethod(kubeAuth),
// for renew on retrieve
vaultp.WithAuthBeforeRetrieve())
// can now use when initializing config
c, err := awscfg.LoadDefaultConfig(context.TODO(), awscfg.WithCredentialsProvider(provider))Released under the Apache License 2.0.