IAM Role Support

Points to Note:

  1. This article is applicable for enterprise users (dedicated/on-premises) only.

  2. Not applicable for shared instance users.

Introduction

Vault supports AWS S3 as a storage environment to back up your metadata and data objects. Traditionally, users had to provide:

  • AWS S3 Bucket Name

  • Access Key

  • Secret Key

  • AWS Region

However, Vault now supports IAM Roles, allowing users to connect to S3 buckets without manually entering access or secret keys.

About IAM Role

An IAM Role in AWS is an identity with specific permissions policies. Unlike IAM users, roles do not require long-term credentials and are used to delegate access securely.

IAM Roles are ideal for:

  • Temporary credentials

  • Access control delegation

  • Enhanced security practices

For more information, refer to AWS IAM Roles documentation.

Prerequisites

To configure IAM Role support in Vault:

  • An active AWS account with access to S3 buckets

  • An IAM user with permissions to assume roles and access S3

Configuring in Vault

  1. Log in to your Vault account.

  2. Navigate to Settings > Backup Environment.

  3. Set Storage Type to AWS S3.

  4. Enter a Label Name (this is a user-defined reference name).

  5. Enable the checkbox: "Role-based control for dedicated/On-Prem Instance"

IAM Role configuration in Vault settings
Selecting IAM role option for S3 access

  1. Enter the S3 Bucket Name in the corresponding field.

  2. Select an encryption method: either AES-256 or AWS-KMS.

  3. Click Save Settings to complete the configuration.

PreviousBring your own Key (BYOK) with VaultNextGoogle Cloud Platform

Last updated

Was this helpful?