github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat(aws-iam-rotation): address PR comments

Browse Source
This commit is contained in:
carlosmonastyrski
2025-04-25 11:01:35 -03:00
parent 5819b8c576
commit 57c96abe03
10 changed files with 111 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-schemas.ts
View File

@@ -25,7 +25,7 @@ const AwsIamUserSecretRotationParametersSchema = z.object({
.trim()
.min(1, "Client Name Required")
.describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.userName),
region: z.nativeEnum(AWSRegion).describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.region)
region: z.nativeEnum(AWSRegion).describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.region).optional()
});
const AwsIamUserSecretRotationSecretsMappingSchema = z.object({

2
backend/src/lib/api-docs/constants.ts
View File

@@ -2018,7 +2018,7 @@ export const SecretRotations = {
},
AWS_IAM_USER_SECRET: {
userName: "The name of the client to rotate credentials for.",
region: "The AWS region to rotate credentials for."
region: "The AWS region the client is present in."
}
},
SECRETS_MAPPING: {

89
docs/documentation/platform/secret-rotation/aws-iam.mdx → docs/documentation/platform/secret-rotation/aws-iam-user-secret.mdx
View File

@@ -8,8 +8,8 @@ at a specified interval or on-demand.
## Prerequisites
- Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Rotation** audience and permissions
- Add the following permissions to your IAM Role/IAM User Permission policy set used by your AWS Connection:
- Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Rotation** permissions
- Make sure to add the following permissions to your IAM Role/IAM User Permission policy set used by your AWS Connection:
```json
{
@@ -21,14 +21,10 @@ at a specified interval or on-demand.
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey"
"iam:DeleteAccessKey",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ListUsers",
"Resource": "*"
}
]
}
@@ -69,11 +65,11 @@ In the following steps, we explore the end-to-end workflow for setting up this s
4. Select the AWS IAM user and the region of the user whose credentials you want to rotate. Then click **Next**.
![Rotation Parameters](/images/secret-rotations-v2/aws-iam-user-secret/aws-iam-user-secret-parameters.png)
5. Specify the secret names that the client credentials should be mapped to. Then click **Next**.
5. Specify the secret names that the AWS IAM access key credentials should be mapped to. Then click **Next**.
![Rotation Secrets Mapping](/images/secret-rotations-v2/aws-iam-user-secret/aws-iam-user-secret-secrets-mapping.png)
- **Client ID** - the name of the secret that the application Client ID will be mapped to.
- **Client Secret** - the name of the secret that the rotated Client Secret will be mapped to.
- **Access Key ID** - the name of the secret that the aws access key ID will be mapped to.
- **Secret Access Key** - the name of the secret that the rotated secret access key will be mapped to.
6. Give your rotation a name and description (optional). Then click **Next**.
![Rotation Details](/images/secret-rotations-v2/aws-iam-user-secret/aws-iam-user-secret-details.png)
@@ -101,12 +97,12 @@ In the following steps, we explore the end-to-end workflow for setting up this s
--url https://us.infisical.com/api/v2/secret-rotations/aws-iam-user-secret \
--header 'Content-Type: application/json' \
--data '{
"name": "<string>",
"projectId": "<string>",
"description": "<string>",
"name": "My AWS rotation",
"projectId": "9602cfc5-20b9-4c35-a056-dd7372db0f25",
"description": "My rotation strategy description",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "<string>",
"secretPath": "<string>",
"environment": "dev",
"secretPath": "/",
"isAutoRotationEnabled": true,
"rotationInterval": 2,
"rotateAtUtc": {
@@ -114,12 +110,12 @@ In the following steps, we explore the end-to-end workflow for setting up this s
"minutes": 29.5
},
"parameters": {
"userName": "<string>",
"userName": "testUser",
"region": "us-east-1"
},
"secretsMapping": {
"accessKeyId": "<string>",
"secretAccessKey": "<string>"
"accessKeyId": "AWS_ACCESS_KEY_ID",
"secretAccessKey": "AWS_SECRET_ACCESS_KEY"
}
}'
```
@@ -130,11 +126,11 @@ In the following steps, we explore the end-to-end workflow for setting up this s
{
"secretRotation": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"description": "<string>",
"name": "My AWS rotation",
"description": "My rotation strategy description",
"secretsMapping": {
"accessKeyId": "<string>",
"secretAccessKey": "<string>"
"accessKeyId": "AWS_ACCESS_KEY_ID",
"secretAccessKey": "AWS_SECRET_ACCESS_KEY"
},
"isAutoRotationEnabled": true,
"activeIndex": 0,
@@ -143,36 +139,36 @@ In the following steps, we explore the end-to-end workflow for setting up this s
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"rotationInterval": 123,
"rotationStatus": "<string>",
"rotationStatus": "success",
"lastRotationAttemptedAt": "2023-11-07T05:31:56Z",
"lastRotatedAt": "2023-11-07T05:31:56Z",
"lastRotationJobId": "<string>",
"lastRotationJobId": null,
"nextRotationAt": "2023-11-07T05:31:56Z",
"isLastRotationManual": true,
"connection": {
"app": "aws",
"name": "<string>",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
"app": "aws",
"name": "my-aws-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "<string>",
"name": "<string>",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"projectId": "<string>",
"projectId": "9602cfc5-20b9-4c35-a056-dd7372db0f25",
"folder": {
"id": "<string>",
"path": "<string>"
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/"
},
"rotateAtUtc": {
"hours": 11.5,
"minutes": 29.5
"hours": 11.5,
"minutes": 29.5
},
"lastRotationMessage": "<string>",
"lastRotationMessage": null,
"type": "aws-iam-user-secret",
"parameters": {
"userName": "<string>",
"region": "us-east-1"
"userName": "testUser",
"region": "us-east-1"
}
}
}
@@ -186,15 +182,10 @@ In the following steps, we explore the end-to-end workflow for setting up this s
<AccordionGroup>
<Accordion title="Why are my AWS IAM credentials not rotating?">
There are a few reasons for why this might happen: - The strategy
configuration is invalid (e.g. the managing IAM user's credentials are
incorrect, the target AWS region is incorrect, etc.). - The managing IAM
user is insufficently permissioned to rotate the credentials of the target
IAM user. For instance, you may have setup
[paths](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/)
for the managing IAM user and the policy does not have the necessary
permissions to rotate the credentials. - The target IAM user already has 2
access keys configured in AWS; you should delete one of the access keys to
allow for rotation.
There are a few reasons for why this might happen:
- The strategy configuration is invalid (e.g. the managing IAM user's credentials are incorrect, the target AWS region is incorrect, etc.)
- The managing IAM user is insufficently permissioned to rotate the credentials of the target IAM user. For instance, you may have setup
[paths](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) for the managing IAM user and the policy does not have the necessary
permissions to rotate the credentials.
</Accordion>
</AccordionGroup>

BIN
docs/images/app-connections/aws/iam-role-secret-rotation-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 308 KiB

56
docs/integrations/app-connections/aws.mdx
View File

@@ -146,6 +146,34 @@ Infisical supports two methods for connecting to AWS.
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="Secret Rotation">
<AccordionGroup>
<Accordion title="AWS IAM">
Use the following custom policy to grant the minimum permissions required by Infisical to rotate secrets to AWS Access Keys:
![IAM Role Secret Rotation Permissions](/images/app-connections/aws/iam-role-secret-rotation-permissions.png)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
</Accordion>
</AccordionGroup>
</Tab>
</Tabs>
</Step>
@@ -293,6 +321,34 @@ Infisical supports two methods for connecting to AWS.
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="Secret Rotation">
<AccordionGroup>
<Accordion title="AWS IAM">
Use the following custom policy to grant the minimum permissions required by Infisical to rotate secrets to AWS Access Keys:
![IAM Role Secret Rotation Permissions](/images/app-connections/aws/iam-role-secret-rotation-permissions.png)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
</Accordion>
</AccordionGroup>
</Tab>
</Tabs>
</Step>
<Step title="Obtain Access Key ID and Secret Access Key">

4
docs/mint.json
View File

@@ -179,9 +179,9 @@
"pages": [
"documentation/platform/secret-rotation/overview",
"documentation/platform/secret-rotation/auth0-client-secret",
"documentation/platform/secret-rotation/aws-iam-user-secret",
"documentation/platform/secret-rotation/postgres-credentials",
"documentation/platform/secret-rotation/mssql-credentials",
"documentation/platform/secret-rotation/aws-iam"
"documentation/platform/secret-rotation/mssql-credentials"
]
},
{

16
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ParametersFields/AwsIamUserSecretRotationParametersFields.tsx
View File

@@ -35,12 +35,7 @@ export const AwsIamUserSecretRotationParametersFields = () => {
helperText={
<Tooltip
className="max-w-md"
content={
<>
Ensure that your connection has the correct permissions and the IAM user exists
in the connection&#39;s audience.
</>
}
content={<>Ensure that your connection has the correct permissions.</>}
>
<div>
<span>Don&#39;t see the IAM user you&#39;re looking for?</span>{" "}
@@ -73,8 +68,13 @@ export const AwsIamUserSecretRotationParametersFields = () => {
control={control}
name="parameters.region"
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl isError={Boolean(error)} errorText={error?.message} label="Region">
<AwsRegionSelect value={value} onChange={onChange} />
<FormControl
isError={Boolean(error)}
errorText={error?.message}
label="Region"
helperText="Required only if no global scope is set."
>
<AwsRegionSelect value={value ?? ""} onChange={onChange} />
</FormControl>
)}
/>

2
frontend/src/components/secret-rotations-v2/forms/schemas/aws-iam-user-secret-rotation-schema.ts
View File

@@ -8,7 +8,7 @@ export const AwsIamUserSecretRotationSchema = z
type: z.literal(SecretRotation.AwsIamUserSecret),
parameters: z.object({
userName: z.string().trim().min(1, "User Name required"),
region: z.string().trim().min(1, "Region required")
region: z.string().trim().optional()
}),
secretsMapping: z.object({
accessKeyId: z.string().trim().min(1, "Access Key ID required"),

2
frontend/src/helpers/secretRotationsV2.ts
View File

@@ -23,7 +23,7 @@ export const SECRET_ROTATION_MAP: Record<
[SecretRotation.AwsIamUserSecret]: {
name: "AWS IAM User Secret",
image: "Amazon Web Services.png",
size: 35
size: 50
}
};

2
frontend/src/hooks/api/secretRotationsV2/types/aws-iam-user-secret-rotation.ts
View File

@@ -8,7 +8,7 @@ import {
export type TAwsIamUserSecretRotation = TSecretRotationV2Base & {
type: SecretRotation.AwsIamUserSecret;
parameters: {
region: string;
region?: string;
userName: string;
};
secretsMapping: {