Support STS assumed role
IAM Users are ok 95% of the time, but for EKS access it must map to specific IAM Users, not dynamic usernames. So therefore the temp credentials from Vault needs to be added via further automation after Vault provisions the temp User.
To work around this, EKS supports access via IAM Role. So dynamic users can sts:AssumeRole into this static Role.
Vault supports this: https://developer.hashicorp.com/vault/docs/secrets/aws#sts-assumerole
The command to get the STS creds is: vault write <AWS_MOUNT>/sts/<IAM_ROLE>
The output is:
$ vault write aws-<censored>/sts/eks ttl=60m
Key Value
--- -----
lease_id aws-<censored>/sts/eks/MNA6pFNrOdZymYnbTLH0grgV
lease_duration 59m59s
lease_renewable false
access_key <AWS_ACCESS_KEY_ID>
arn <SOME_AWS_ARN>
secret_key <AWS_SECRET_ACCESS_KEY>
security_token <AWS_SESSION_TOKEN>
ttl 59m59s
It would be great if this script can be adapted to also handle sts:AssumeRole mode of operation.