AWS IAM
Learn how to dynamically generate AWS IAM Users.
The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on a configured AWS policy. Infisical supports several authentication methods to connect to your AWS account, including assuming an IAM Role, using IAM Roles for Service Accounts (IRSA) on EKS, or static Access Keys.
Prerequisite
Infisical needs an AWS IAM principal (a user or a role) with the required permissions to create and manage other IAM users. This principal will be responsible for the lifecycle of the dynamically generated users.
Required IAM Permissions
Required IAM Permissions
To minimize managing user access you can attach a resource in format
arn:aws:iam::<account-id>:user/<aws-scope-path>
Replace <account id> with your AWS account id and <aws-scope-path> with a path to minimize managing user access.
Set up Dynamic Secrets with AWS IAM
Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
Self-Hosted Instance
Self-Hosted Instance
To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.
If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
The following steps are for instances not deployed on AWS:
Create an IAM User
Navigate to Create IAM User in your AWS Console.
Create an Inline Policy
Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
Obtain the IAM User Credentials
Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.
Set Up Connection Keys
- Set the access key as DYNAMIC_SECRET_AWS_ACCESS_KEY_ID.
- Set the secret key as DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY.
Create the Managing User IAM Role for Infisical
-
Navigate to the Create IAM Role page in your AWS Console.
-
Select AWS Account as the Trusted Entity Type.
-
Select Another AWS Account and provide the appropriate Infisical AWS Account ID: use 381492033652 for the US region, and 345594589636 for the EU region. This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
-
(Recommended) Enable “Require external ID” and input your Project ID to strengthen security and mitigate the confused deputy problem.
-
Assign permission as shared in prerequisite.
When configuring an IAM Role that Infisical will assume, it’s highly recommended to enable the “Require external ID” option and specify your Project ID.
This precaution helps protect your AWS account against the confused deputy problem, a potential security vulnerability where Infisical could be tricked into performing actions on your behalf by an unauthorized actor.
Copy the AWS IAM Role ARN
Secret Overview Dashboard
Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
Click on the 'Add Dynamic Secret' button
Select AWS IAM
Provide the inputs for dynamic secret parameters
Name by which you want the secret to be referenced
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Maximum time-to-live for a generated secret
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp{{identity.name}}
: Name of the identity that is generating the secret{{random N}}
: Random string of N characters
Allowed template functions are
truncate
: Truncates a string to a specified lengthreplace
: Replaces a substring with another value
Examples:
Tags to be added to the created IAM User resource.
Select Assume Role method.
The ARN of the AWS Role to assume.
IAM AWS Path to scope created IAM User resource access.
The AWS data center region.
The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.
The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp
Click 'Submit'
After submitting the form, you will see a dynamic secret created in the dashboard.
Generate dynamic secrets
Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.
When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
Once you click the Submit
button, a new secret lease will be generated and the credentials for it will be shown to you.
Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
Self-Hosted Instance
Self-Hosted Instance
To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.
If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
The following steps are for instances not deployed on AWS:
Create an IAM User
Navigate to Create IAM User in your AWS Console.
Create an Inline Policy
Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
Obtain the IAM User Credentials
Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.
Set Up Connection Keys
- Set the access key as DYNAMIC_SECRET_AWS_ACCESS_KEY_ID.
- Set the secret key as DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY.
Create the Managing User IAM Role for Infisical
-
Navigate to the Create IAM Role page in your AWS Console.
-
Select AWS Account as the Trusted Entity Type.
-
Select Another AWS Account and provide the appropriate Infisical AWS Account ID: use 381492033652 for the US region, and 345594589636 for the EU region. This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
-
(Recommended) Enable “Require external ID” and input your Project ID to strengthen security and mitigate the confused deputy problem.
-
Assign permission as shared in prerequisite.
When configuring an IAM Role that Infisical will assume, it’s highly recommended to enable the “Require external ID” option and specify your Project ID.
This precaution helps protect your AWS account against the confused deputy problem, a potential security vulnerability where Infisical could be tricked into performing actions on your behalf by an unauthorized actor.
Copy the AWS IAM Role ARN
Secret Overview Dashboard
Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
Click on the 'Add Dynamic Secret' button
Select AWS IAM
Provide the inputs for dynamic secret parameters
Name by which you want the secret to be referenced
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Maximum time-to-live for a generated secret
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp{{identity.name}}
: Name of the identity that is generating the secret{{random N}}
: Random string of N characters
Allowed template functions are
truncate
: Truncates a string to a specified lengthreplace
: Replaces a substring with another value
Examples:
Tags to be added to the created IAM User resource.
Select Assume Role method.
The ARN of the AWS Role to assume.
IAM AWS Path to scope created IAM User resource access.
The AWS data center region.
The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.
The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp
Click 'Submit'
After submitting the form, you will see a dynamic secret created in the dashboard.
Generate dynamic secrets
Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.
When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
Once you click the Submit
button, a new secret lease will be generated and the credentials for it will be shown to you.
This method is recommended for self-hosted Infisical instances running on AWS EKS. It uses IAM Roles for Service Accounts (IRSA) to securely grant permissions to the Infisical pods without managing static credentials.
In order to use IRSA, the KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN
environment variable must be set to true
for your self-hosted Infisical instance.
Create an IAM OIDC provider for your cluster
If you don’t already have one, you need to create an IAM OIDC provider for your EKS cluster. This allows IAM to trust authentication tokens from your Kubernetes cluster.
- Find your cluster’s OIDC provider URL from the EKS console or by using the AWS CLI:
aws eks describe-cluster --name <your-cluster-name> --query "cluster.identity.oidc.issuer" --output text
- Navigate to the IAM Identity Providers page in your AWS Console and create a new OpenID Connect provider with the URL and
sts.amazonaws.com
as the audience.
Create the Managing User IAM Role for Infisical
- Navigate to the Create IAM Role page in your AWS Console.
- Select Web identity as the Trusted Entity Type.
- Choose the OIDC provider you created in the previous step.
- For the Audience, select
sts.amazonaws.com
. - Attach the permission policy detailed in the Prerequisite section at the top of this page.
- After creating the role, edit its Trust relationship to specify the service account Infisical is using in your cluster. This ensures only the Infisical pod can assume this role.
Replace <ACCOUNT_ID>
, <REGION>
, <OIDC_ID>
, <K8S_NAMESPACE>
, and <INFISICAL_SERVICE_ACCOUNT_NAME>
with your specific values.
Annotate the Infisical Kubernetes Service Account
For the IRSA mechanism to work, the Infisical service account in your Kubernetes cluster must be annotated with the ARN of the IAM role you just created.
Run the following command, replacing the placeholders with your values:
This annotation tells the EKS Pod Identity Webhook to inject the necessary environment variables and tokens into the Infisical pod, allowing it to assume the specified IAM role.
Secret Overview Dashboard
Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
Click on the 'Add Dynamic Secret' button
Select AWS IAM
Provide the inputs for dynamic secret parameters
Name by which you want the secret to be referenced
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Maximum time-to-live for a generated secret
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp{{identity.name}}
: Name of the identity that is generating the secret{{random N}}
: Random string of N characters
Allowed template functions are
truncate
: Truncates a string to a specified lengthreplace
: Replaces a substring with another value
Examples:
Tags to be added to the created IAM User resource.
Select IRSA method.
The ARN of the AWS IAM Role for the service account to assume.
IAM AWS Path to scope created IAM User resource access.
The AWS data center region.
The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.
The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp
Click 'Submit'
After submitting the form, you will see a dynamic secret created in the dashboard.
Generate dynamic secrets
Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.
When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
Once you click the Submit
button, a new secret lease will be generated and the credentials for it will be shown to you.
Infisical will use the provided Access Key ID and Secret Key to connect to your AWS instance.
Secret Overview Dashboard
Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
Click on the 'Add Dynamic Secret' button
Select AWS IAM
Provide the inputs for dynamic secret parameters
Name by which you want the secret to be referenced
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Maximum time-to-live for a generated secret
Select Access Key method.
The managing AWS IAM User Access Key
The managing AWS IAM User Secret Key
IAM AWS Path to scope created IAM User resource access.
The AWS data center region.
The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.
The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
{{randomUsername}}
: Random username string{{unixTimestamp}}
: Current Unix timestamp
Tags to be added to the created IAM User resource.
Click 'Submit'
After submitting the form, you will see a dynamic secret created in the dashboard.
Generate dynamic secrets
Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.
When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
Once you click the Submit
button, a new secret lease will be generated and the credentials for it will be shown to you.
Audit or Revoke Leases
Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time.
Renew Leases
To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew button as illustrated below.
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret