AWS IAM

The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on a configured AWS policy. Infisical supports several authentication methods to connect to your AWS account, including assuming an IAM Role, using IAM Roles for Service Accounts (IRSA) on EKS, or static Access Keys.

Prerequisite

Infisical needs an AWS IAM principal (a user or a role) with the required permissions to create and manage other IAM users. This principal will be responsible for the lifecycle of the dynamically generated users.

Required IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:CreateAccessKey",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteUser",
        "iam:DeleteUserPolicy",
        "iam:DetachUserPolicy",
        "iam:GetUser",
        "iam:ListAccessKeys",
        "iam:ListAttachedUserPolicies",
        "iam:ListGroupsForUser",
        "iam:ListUserPolicies",
        "iam:PutUserPolicy",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup",
        "iam:TagUser"
      ],
      "Resource": ["*"]
    }
  ]
}

To minimize managing user access you can attach a resource in format

arn:aws:iam::<account-id>:user/<aws-scope-path>

Replace <account id> with your AWS account id and <aws-scope-path> with a path to minimize managing user access.

Set up Dynamic Secrets with AWS IAM

Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.

Self-Hosted Instance

To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.The following steps are for instances not deployed on AWS:

Create an IAM User

Navigate to Create IAM User in your AWS Console.

Create an Inline Policy

Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:

{
    "Version": "2012-10-17",
    "Statement": [
{
    "Sid": "AllowAssumeAnyRole",
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::*:role/*"
}
    ]
}

Obtain the IAM User Credentials

Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys. Access Key Step 1

Set Up Connection Keys

Set the access key as DYNAMIC_SECRET_AWS_ACCESS_KEY_ID.
Set the secret key as DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY.

Create the Managing User IAM Role for Infisical

Navigate to the Create IAM Role page in your AWS Console.
Select AWS Account as the Trusted Entity Type.
Select Another AWS Account and provide the appropriate Infisical AWS Account ID: use 381492033652 for the US region, and 345594589636 for the EU region. This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
(Recommended) Enable “Require external ID” and input your Project ID to strengthen security and mitigate the confused deputy problem.
Assign permission as shared in prerequisite.

When configuring an IAM Role that Infisical will assume, it’s highly recommended to enable the “Require external ID” option and specify your Project ID.This precaution helps protect your AWS account against the confused deputy problem, a potential security vulnerability where Infisical could be tricked into performing actions on your behalf by an unauthorized actor.

Copy the AWS IAM Role ARN

Secret Overview Dashboard

Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.

Click on the 'Add Dynamic Secret' button

Select AWS IAM

Provide the inputs for dynamic secret parameters

Secret Name

string

required

Name by which you want the secret to be referenced

Default TTL

string

required

Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)

Max TTL

string

required

Maximum time-to-live for a generated secret

Username Template

string

default:"{{randomUsername}}"

Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.Allowed template variables are

{{randomUsername}}: Random username string
{{unixTimestamp}}: Current Unix timestamp
{{identity.name}}: Name of the identity that is generating the secret
{{random N}}: Random string of N characters

Allowed template functions are

truncate: Truncates a string to a specified length
replace: Replaces a substring with another value

Examples:

{{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{unixTimestamp}}                               // 17490641580
{{identity.name}}                               // testuser
{{random-5}}                                    // x9k2m
{{truncate identity.name 4}}                    // test
{{replace identity.name 'user' 'replace'}}      // testreplace

Tags

map<string, string>[]

Tags to be added to the created IAM User resource.

Method

string

required

Select Assume Role method.

Aws Role ARN

string

required

The ARN of the AWS Role to assume.

AWS IAM Path

string

IAM AWS Path to scope created IAM User resource access.

AWS Region

string

required

The AWS data center region.

IAM User Permission Boundary

string

required

The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.

AWS IAM Groups

string

The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas

AWS Policy ARNs

string

The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas

AWS IAM Policy Document

string

The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas

Username Template

string

default:"{{randomUsername}}"

Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.Allowed template variables are

{{randomUsername}}: Random username string
{{unixTimestamp}}: Current Unix timestamp

Click 'Submit'

After submitting the form, you will see a dynamic secret created in the dashboard.

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.

When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for. Provision Lease

Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.

Once you click the Submit button, a new secret lease will be generated and the credentials for it will be shown to you. Provision Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time. Provision Lease

Renew Leases

To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew button as illustrated below. Provision Lease

Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret

Getting Started

Platform

Authentication Methods

Self-host Infisical

Internals

Contributing

Prerequisite

Set up Dynamic Secrets with AWS IAM

Audit or Revoke Leases

Renew Leases

Getting Started

Platform

Authentication Methods

Self-host Infisical

Internals

Contributing

​Prerequisite

​Set up Dynamic Secrets with AWS IAM

​Audit or Revoke Leases

​Renew Leases

Prerequisite

Set up Dynamic Secrets with AWS IAM

Audit or Revoke Leases

Renew Leases