Skip to main content
The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users and temporary credentials on demand based on a configured AWS policy. Infisical supports several authentication methods to connect to your AWS account, including assuming an IAM Role, using IAM Roles for Service Accounts (IRSA) on EKS, or static Access Keys.

AWS STS Duration Limits

When using Temporary Credentials, AWS STS has specific maximum duration limits:
  • AssumeRole operations: Maximum 1 hour (3600 seconds) when using temporary credentials
  • GetSessionToken operations (Access Key & IRSA): Maximum 12 hours (43200 seconds)
Automatic Duration Adjustment: If you specify a TTL that exceeds these AWS limits, Infisical will automatically use the maximum allowed duration instead of failing the operation. This ensures your dynamic secrets work reliably within AWS constraints.

Prerequisite

Infisical needs an AWS IAM principal (a user or a role) with the required permissions to create and manage other IAM users and temporary credentials. This principal will be responsible for the lifecycle of the dynamically generated users and temporary credentials.
  • IAM User
  • Temporary Credentials
Required permissions for creating temporary IAM users:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:CreateAccessKey",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteUser",
        "iam:DeleteUserPolicy",
        "iam:DetachUserPolicy",
        "iam:GetUser",
        "iam:ListAccessKeys",
        "iam:ListAttachedUserPolicies",
        "iam:ListGroupsForUser",
        "iam:ListUserPolicies",
        "iam:PutUserPolicy",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup",
        "iam:TagUser"
      ],
      "Resource": ["*"]
    }
  ]
}
To minimize managing user access you can attach a resource in format
arn:aws:iam::<account-id>:user/<aws-scope-path>
Replace <account id> with your AWS account id and <aws-scope-path> with a path to minimize managing user access.

Set up Dynamic Secrets with AWS IAM

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time.
Provision Lease

Renew Leases

To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew button as illustrated below.
Provision Lease
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret