Using Vault to Generate Dynamic IAM Users in AWS with Cloud Playground
Share on facebook
Share on twitter
Share on linkedin

Using Vault to generate dynamic IAM users in AWS with Cloud Playground

Christophe Limpalair
Christophe Limpalair
In today’s technology landscape, securely storing and controlling things like passwords, certificates, tokens, and encryption keys, is a necessary, but complicated challenge.
To help with this challenge, a number of different tools and technologies have been developed. Here you’re going to learn about an open source tool called Vault, which was developed by HashiCorp.
Vault manages secrets and protects sensitive data by providing a central location to store, access, and distribute secrets such as API keys, AWS IAM/STS credentials, SQL/NoSQL databases, certificates, Vault SSH credentials, and more — all through a user interface, CLI, or HTTP API.
In this tutorial, we’re going to show you how to install Vault on a development CentOS 7 server hosted by Linux Academy. We’re going to use that installation to generate dynamic AWS IAM users and policies in a sandbox AWS environment, also hosted by Linux Academy, through the Cloud Playground.
All of this will be done at no additional cost to you, with a paid Linux Academy membership. If you don’t have a paid membership, you can sign up for our 7 day free trial to continue the walk-through, and check out lots of other cool features.
Let’s get building! Follow along using the video tutorial, and steps below:

Launch a CentOS 7 server

First things first, let’s launch a CentOS 7 server from the Cloud Playground.
Click on “Playground” from the main navigation bar.
Click on “New Server” or follow along with the in-browser walkthrough.
Select CentOS 7 as the distribution.
Select the Zone as North America.
For the size, let’s do small, which will be more than enough for what we’re doing. A micro would be big enough for this tutorial, but small gives space to continue beyond this tutorial, and we know you’ll be unstoppable after this.
For the tag, name this Server-Vault.
Don’t be shy, go ahead and create the server!
You’ll need to wait a few minutes for the server to finish getting ready, they can be temperamental. You’ll know it’s set when it turns green and displays “Ready.”
Now, you can click on the server, which will expand and show you a lot more information. Scroll down until you see the green “Terminal” button, and click on it.
This will open an in-browser terminal for you to access to the server.
Go back to the Cloud Playground window, and look for the Credentials:
Keep in mind that your temporary password will be different than the one pictured above, so copy directly from your screen, and paste into the in-browser terminal window.
Note: Even though you don’t see it on the screen, keystrokes are being registered when you type in your password. It’s not visible for extra security measures, because that way you can’t see the letters or the length of the password being typed. So again, don’t worry if you’re typing your password and nothing appears to be happening — we promise it’s registering those keystrokes!
Once you log in, you will immediately be asked to change your password. Enter the current password (the one you just entered from the “Temp. Password.”), and then enter the new password. Confirm a second time, and you’re set. Phew.
That’s it! You’ve created your own custom password which you will use to login and access admin privileges on this server going forward. Don’t forget this password! If you do forget, you’ll have to delete this server and start over.

Install Vault on CentOS 7

Now that we’ve got our CentOS 7 server up and running, it’s time to install Vault so we can use it.
Copy and paste the command below:
This will download the Vault ZIP archive to your server, which we then have to unzip, and we can do this with a tool, appropriately called, unzip.  To get unzip, run this command:
sudo yum install unzip -y
Now that you’ve installed unzip, let’s use it:
To make Vault run from anywhere on the server, we’re going to move it to this directory:
sudo mv vault /usr/local/bin
We can now run this command and it will spin up our server!
vault server -dev
Once it has spun up our development Vault server, scroll back up until you see yellow text that reads:
Unseal Key: Tfp8uS3OL0juI+j4BKMJUXC7Zr67c12E4wEgLxIzebw=
Root Token: s.aaHRwSum4d6uhjlrr4i68fNJ
Copy and paste the key and token in a text document for later use. If this were not a development server, we’d want to securely store these two keys.
Now, copy the line that looks like this (excluding the $):
export VAULT_ADDR=''
Go back to the Cloud Playground window and open another terminal by clicking the green “Terminal” button again. We need an additional terminal because Vault server is occupying our first terminal window, and we need to be able to run more commands. 
More terminals, more power.
With the other terminal window opened, type these commands, replacing it with your token ID.
export VAULT_ADDR=''export VAULT_DEV_ROOT_TOKEN_ID="s.j45cq6VMzsVy5mxRBO3uS1mt"
Those two commands will provide Vault server with variables it needs to run properly.

Configure Vault and your AWS credentials

Vault has what it calls Secrets Engines. These engines let us specify what we want to do. For example, since this tutorial is generating users and policies for AWS IAM, we want to use the AWS Secrets Engine:

vault secrets enable aws
Now that Vault knows we’re working with AWS, we need to provide it with an environment and credentials to make calls against.
To complete this step, you can use your own AWS environment, or you can go back to the Cloud Playground and click on the “Cloud Sandboxes” tab which will let you launch an AWS environment for free, managed entirely by Linux Academy. This way you don’t have to worry about costs or security vulnerabilities, or cleaning up any resources you’ve created. We take care of everything for you, because we really like you.
Go ahead and “Start AWS Sandbox Access” and within a second or two, you will be provided with login credentials.
Using these credentials and the instructions on-screen, you can open the sandbox environment and use the username, password, and URL to log into the AWS console. 
From there, head over to IAM. Look around at the current users and policies in the environment. This is where our new users and policies will appear once we’ve generated them through Vault.
Back in the Cloud Sandboxes window, you’ll be provided with an Access Key Id and a Secret Access Key. Copy and paste those into the following command, replacing the example keys shown, with what you are given:
vault write aws/config/root
Copy and paste the command above into your Vault terminal window, and you’ll receive a success message:
Success! Now that we’ve told Vault which credentials to use in order to make calls to AWS on our behalf, let’s create our first user!

Generating our first AWS User and Policy with Vault

Copy and paste the following command into the Vault terminal window, and press enter:
vault write aws/roles/my-role
      "Version": "2012-10-17",
      "Statement": [
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
You should see another success message letting you know that the data was written to aws/roles/my-role
In order to create the user, we now have to read the data:
vault read aws/creds/my-role
Notice that we saved the data to aws/roles/my-role, and we’re reading it from aws/creds/my-role
If you go back to your AWS IAM console window and refresh the screen (it can take a few seconds), you will now see a brand new user! Who said making new friends was hard?
Clicking on this user, and looking at the policy will show you what we wrote earlier, which grants the user access to all EC2 resources and actions.
We’ve generated our first IAM user and policy! But the party’s just getting started.  

Using Files to Generate Users & Policies

Previously, we typed the entire policy in the CLI command, which is not only messy, it’s not very secure. Depending on which command you’re running, you might require more security and scalability. We can do that by using files to generate our users and policies.
Let’s practice that by creating a new file called policy.json:
vim policy.json
Copy and paste the following in this file (make sure you are in “insert mode” in Vim by typing “i”).
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
    "Resource": "*"
Exit Vim and save the changes to the file by pressing “esc” and then typing “:x” — more on exiting Vim in this article.
Now that we have our policy.json file, we can type in this command:
vault write aws/creds/s3_admin
Instead of the first command we had run which had:
We now input a file name:
Vault will grab that file and automatically inject its contents into the command. The policy is also a bit different this time, just to switch it up. It grants full access to S3 instead of EC2.
Once again, we need to read from our credentials to create the user:
vault read aws/creds/s3_admin
Head back to your AWS IAM console, refresh, and you’ll see our second generated user and its policy


In this tutorial, we looked at how to generate two different users with two different IAM policies, all using Vault. We installed Vault on a CentOS 7 server, and we used a Linux Academy AWS Cloud Sandbox to safely practice. We configured Vault to be able to communicate directly with our AWS environment — and it was all managed by Linux Academy, at no additional cost to you, our favorite user.
Now that we’re done, we can either pause our server (so we can come back to it later), or delete the server if we have no more use for it. We can also shut down our AWS Cloud Sandbox environment if we’re done with it. The next time we launch that AWS environment, we will have a clean slate to start from!
We hope you enjoyed this tutorial, and we’re excited to see what you do next as you continue to Learn By Doing with lots of other cool technologies!


Get more insights, news, and assorted awesomeness around all things cloud learning.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?