Description:
I am attempting to use Boundary CLI to create a dynamic host catalog using the AWS plugin. According to the documentation for the boundary-plugin-aws repository, it's mentioned that one can utilize a role ARN for credential rotation in addition to static credentials and environment variables.
However, I encountered issues when trying to implement this using following command.
boundary host-catalogs create plugin \
-scope-id $PROJECT_ID \
-plugin-name aws \
-attr disable_credential_rotation=true \
-attr region=us-east-1 \
-secret access_key_id=env://BOUNDARY_ACCESS_KEY_ID \
-secret secret_access_key=env://BOUNDARY_SECRET_ACCESS_KEY \
-attr role_arn=env://BOUNDARY_ROLE_ARN
When attempting to include the role ARN attribute along with static access key and secret access key secrets, the command resulted in the following error:
desc = Error in the secrets provided: [attributes.role_arn: conflicts with access_key_id and
secret_access_key values, secrets.access_key_id: conflicts with role_arn value,
secrets.secret_access_key: conflicts with role_arn value]
Status: 500
On the other hand, when omitting the static secrets and solely providing the role ARN attribute, the command yielded the following error:
desc = secrets are required
Status: 500
This inconsistency makes it unclear whether role ARN can be effectively used instead of static secrets for credential rotation. Considering best practices and security concerns, utilizing role ARN for rotation would be preferable.
Could you please help clarify whether it's possible to use AWS IAM role ARN for credential rotation in the Boundary AWS plugin? If so, could you provide guidance on the correct usage or any potential workaround to address the errors encountered?
Thank you for your attention to this issue.
Description:
I am attempting to use Boundary CLI to create a dynamic host catalog using the AWS plugin. According to the documentation for the
boundary-plugin-awsrepository, it's mentioned that one can utilize a role ARN for credential rotation in addition to static credentials and environment variables.However, I encountered issues when trying to implement this using following command.
When attempting to include the role ARN attribute along with static access key and secret access key secrets, the command resulted in the following error:
On the other hand, when omitting the static secrets and solely providing the role ARN attribute, the command yielded the following error:
This inconsistency makes it unclear whether role ARN can be effectively used instead of static secrets for credential rotation. Considering best practices and security concerns, utilizing role ARN for rotation would be preferable.
Could you please help clarify whether it's possible to use AWS IAM role ARN for credential rotation in the Boundary AWS plugin? If so, could you provide guidance on the correct usage or any potential workaround to address the errors encountered?
Thank you for your attention to this issue.