Infisical’s AWS IAM User secret rotation capability lets you update the Access key and Secret access key credentials of a target IAM user from within Infisical at a specified interval or on-demand.

Workflow

The typical workflow for using the AWS IAM User rotation strategy consists of four steps:

  1. Creating the target IAM user whose credentials you wish to rotate.
  2. Creating the managing IAM user used by Infisical to rotate the credentials of the target IAM user.
  3. Configuring the rotation strategy in Infisical with the credentials of the managing IAM user.
  4. Pressing the Rotate button in the Infisical dashboard to trigger the rotation of the target IAM user’s credentials. The strategy can also be configured to rotate the credentials automatically at a specified interval.

In the following steps, we explore the end-to-end workflow for setting up this strategy in Infisical.

1

Create the target IAM user

To begin, create an IAM user whose credentials you wish to rotate. If you already have an IAM user, then you can skip this step.

2

Create the managing IAM user

Next, create another IAM user to be used by Infisical to rotate the credentials of the IAM user in the previous step.

2.1. In your AWS console, head to IAM > Access management > Users and press Create user.

2.2. Next, give the user a username like infisical-rotation-manager and press Next.

2.3. Next, in the Set permissions step, select Attach policies directly and then press Create policy.

2.4. Next, in the Policy editor, paste the following JSON and press Next:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
			"iam:DeleteAccessKey",
			"iam:GetAccessKeyLastUsed",
			"iam:CreateAccessKey"
			],
			"Resource": "*"
		}
	]
}

The IAM policy above uses the wildcard option in Resource: ”*”.

You may want to restrict the policy to a specific path, and make any adjustments as necessary, to control access for the managing user in production.

Read more about this here.

In the Review and create step, give the policy a name like infisical-rotation-manager, press Create policy to finish creating the policy.

2.5. Back in the Set permissions step from step 2.3, refresh the policy list and search for the policy you just created from step 2.4.

Select the policy and press Next.

In the Review and create step, press Create user to finish creating the IAM user.

2.5. Having created the user, head to its Security credentials > Access keys and press Create access key.

Follow the subsequent steps to create the access key and secret access key credential pair for the user.

At the end of the flow, copy the Access key and Secret access key to use when configuring the AWS IAM User rotation strategy back in Infisical next.

3

Configure the AWS IAM User secret rotation strategy in Infisical

3.1. Back in Infisical, head to the Project > Secrets > Environment and path where you want the rotated AWS IAM credentials to appear and create two placeholder secrets.

In this example, we’ll create two secrets called AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY.

3.2. Next, in the Secret Rotation tab, press on the AWS IAM tile to configure the AWS IAM User rotation strategy.

3.3. Input the configuration details for the AWS IAM User rotation strategy obtained from steps 1 and 2:

Here’s some guidance on each field:

  • Manager User Access Key: The managing IAM user’s access key from step 2.5.
  • Manager User Secret Key: The managing IAM user’s secret access key from step 2.5.
  • Manager User AWS Region: The AWS region for Infisical to make requests to such as us-east-1.
  • IAM Username: The IAM username of the user from step 1.

Next, specify the output secret mappings configuration for the rotated AWS IAM credentials; this is the secrets whose values will be replaced with new credentials after each rotation. Here, you can also specify a rotation interval for the credentials to be automatically rotated periodically.

In this example, we want to map the output of the rotated AWS IAM credentials to the secrets that we created in step 3.1 (i.e. AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY).

Finally, press Submit to create the secret rotation strategy.

4

Rotate secrets in Infisical

You should now see the AWS IAM User rotation strategy listed in the Secret Rotation tab.

To manually trigger a rotation, you can press the Rotate button on the strategy. Once triggered, the secrets in step 3.1 should be updated with new rotated credential values.

FAQ