AWS IAM User

To begin, create an IAM user whose credentials you wish to rotate. If you already have an IAM user, then you can skip this step.

Next, create another IAM user to be used by Infisical to rotate the credentials of the IAM user in the previous step.

2.1. In your AWS console, head to IAM > Access management > Users and press Create user.

2.2. Next, give the user a username like infisical-rotation-manager and press Next.

2.3. Next, in the Set permissions step, select Attach policies directly and then press Create policy.

2.4. Next, in the Policy editor, paste the following JSON and press Next:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
			"iam:DeleteAccessKey",
			"iam:GetAccessKeyLastUsed",
			"iam:CreateAccessKey"
			],
			"Resource": "*"
		}
	]
}

In the Review and create step, give the policy a name like infisical-rotation-manager, press Create policy to finish creating the policy.

2.5. Back in the Set permissions step from step 2.3, refresh the policy list and search for the policy you just created from step 2.4.

Select the policy and press Next.

In the Review and create step, press Create user to finish creating the IAM user.

2.5. Having created the user, head to its Security credentials > Access keys and press Create access key.

Follow the subsequent steps to create the access key and secret access key credential pair for the user.

At the end of the flow, copy the Access key and Secret access key to use when configuring the AWS IAM User rotation strategy back in Infisical next.

3.1. Back in Infisical, head to the Project > Secrets > Environment and path where you want the rotated AWS IAM credentials to appear and create two placeholder secrets.

In this example, we’ll create two secrets called AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY.

3.2. Next, in the Secret Rotation tab, press on the AWS IAM tile to configure the AWS IAM User rotation strategy.

3.3. Input the configuration details for the AWS IAM User rotation strategy obtained from steps 1 and 2:

Here’s some guidance on each field:

• Manager User Access Key: The managing IAM user’s access key from step 2.5.
• Manager User Secret Key: The managing IAM user’s secret access key from step 2.5.
• Manager User AWS Region: The AWS region for Infisical to make requests to such as us-east-1.
• IAM Username: The IAM username of the user from step 1.

Next, specify the output secret mappings configuration for the rotated AWS IAM credentials; this is the secrets whose values will be replaced with new credentials after each rotation. Here, you can also specify a rotation interval for the credentials to be automatically rotated periodically.

In this example, we want to map the output of the rotated AWS IAM credentials to the secrets that we created in step 3.1 (i.e. AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY).

Finally, press Submit to create the secret rotation strategy.

You should now see the AWS IAM User rotation strategy listed in the Secret Rotation tab.

To manually trigger a rotation, you can press the Rotate button on the strategy. Once triggered, the secrets in step 3.1 should be updated with new rotated credential values.