The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on configured AWS policy.

Prerequisite

Infisical needs an initial AWS IAM user with the required permissions to create sub IAM users. This IAM user will be responsible for managing the lifecycle of new IAM users.

Set up Dynamic Secrets with AWS IAM

1

Secret Overview Dashboard

Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.

2

Click on the 'Add Dynamic Secret' button

3

Select AWS IAM

4

Provide the inputs for dynamic secret parameters

Secret Name
string
required

Name by which you want the secret to be referenced

Default TTL
string
required

Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)

Max TTL
string
required

Maximum time-to-live for a generated secret

AWS Access Key
string
required

The managing AWS IAM User Access Key

AWS Secret Key
string
required

The managing AWS IAM User Secret Key

AWS IAM Path
string

IAM AWS Path to scope created IAM User resource access.

AWS Region
string
required

The AWS data center region.

IAM User Permission Boundary
string
required

The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.

AWS IAM Groups
string

The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas

AWS Policy ARNs
string

The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas

AWS IAM Policy Document
string

The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas

5

Click 'Submit'

After submitting the form, you will see a dynamic secret created in the dashboard.

6

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.

When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.

Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret in step 4.

Once you click the Submit button, a new secret lease will be generated and the credentials for it will be shown to you.

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you see the lease details and delete the lease ahead of its expiration time.

Renew Leases

To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew as illustrated below.

Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret

Was this page helpful?