vault kv put secret/aws access_key="AKIAxxxxxxxxxxxx" secret_key="xxxxxxxxxxxxxxxx"
This stores the secret at path secret/aws.
variables.tfvariable "vault_address" { description = "Vault server address" type = string default = "http://127.0.0.1:8200" }
main.tfprovider "vault" { address = var.vault_address } # Read secret from Vault data "vault_kv_secret_v2" "aws" { mount = "secret" name = "aws" } # Use secrets in AWS provider provider "aws" { region = "us-east-1" access_key = data.vault_kv_secret_v2.aws.data["access_key"] secret_key = data.vault_kv_secret_v2.aws.data["secret_key"] } # Example resource using those credentials resource "aws_s3_bucket" "example" { bucket = "vault-terraform-s3-demo-${random_id.suffix.hex}" tags = { Name = "Vault Demo Bucket" } } resource "random_id" "suffix" { byte_length = 4 }
outputs.tfoutput "bucket_name" {value = aws_s3_bucket.example.bucket }
Before running Terraform, export your Vault token:
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="your-root-or-app-role-token"
terraform init terraform apply
It will:
Read AWS credentials from Vault
Use those credentials to authenticate with AWS
Create an S3 bucket using the secure credentials
No comments:
Post a Comment