{"id":37206626,"url":"https://github.com/jetstack/vault-plugin-auth-templated-aws","last_synced_at":"2026-01-14T23:46:54.467Z","repository":{"id":57600773,"uuid":"132886448","full_name":"jetstack/vault-plugin-auth-templated-aws","owner":"jetstack","description":null,"archived":true,"fork":false,"pushed_at":"2018-05-11T09:52:27.000Z","size":27819,"stargazers_count":0,"open_issues_count":2,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-07-16T00:31:32.028Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-10T10:40:04.000Z","updated_at":"2023-01-28T18:54:50.000Z","dependencies_parsed_at":"2022-08-25T17:52:13.942Z","dependency_job_id":null,"html_url":"https://github.com/jetstack/vault-plugin-auth-templated-aws","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jetstack/vault-plugin-auth-templated-aws","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fvault-plugin-auth-templated-aws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fvault-plugin-auth-templated-aws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fvault-plugin-auth-templated-aws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fvault-plugin-auth-templated-aws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/vault-plugin-auth-templated-aws/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fvault-plugin-auth-templated-aws/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28439537,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T22:37:52.437Z","status":"ssl_error","status_checked_at":"2026-01-14T22:37:31.496Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T23:46:53.954Z","updated_at":"2026-01-14T23:46:54.459Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"vault-plugin-auth-templated-aws\n===============================\n\nvault-plugin-auth-templated-aws is a vault plugin to dynamically create roles and policies based on the identity of the EC2 instance requesting a vault token.\nIt is implemented as a fork of vault's awsauth backend, with a templating system added.\n\nTo build:\n\n    $ dep ensure\n    $ go build\n\nTo run:\n\nAdd `plugin_directory = \"/etc/vault/plugins\"` to vault config.\n\nCopy binary into plugin directory:\n\n    $ mkdir -p /etc/vault/plugins/\n    $ cp vault-plugin-auth-templated-aws /etc/vault/plugins/vault-plugin-auth-templated-aws\n\nCalculate hash of plugin:\n\n    $ export SHA256=$(shasum -a 256 \"/etc/vault/plugins/vault-plugin-auth-templated-aws\" | cut -d' ' -f1)\n\nRegister it with vault:\n\n    $ vault write sys/plugins/catalog/vault-plugin-auth-templated-aws sha_256=\"${SHA256}\" command=\"vault-plugin-auth-templated-aws\"\n\nEnable it as an auth method:\n\n    $ vault auth enable -path=\"tarmak\" -plugin-name=\"vault-plugin-auth-templated-aws\" plugin\n\nCheck it appears in auth list:\n\n    $ vault auth list\n\nDisable it with:\n\n    $ vault auth disable tarmak\n\n\nConfiguring\n-----------\n\nSet the vault token and address to use for writing new policies:\n\n    vault write auth/tarmak/config/vault token=7459a4df-1e18-6b08-5c0a-f0106badc284 address=http://127.0.0.1:8200\n\nOptionally set the aws credentials for talking to the ec2 api:\n\n    vault write auth/tarmak/config/client secret_key=something access_key=something_else\n\nCreate role:\n\n    vault write auth/tarmak/role/vault-test bound_iam_role_arn=arn:aws:iam::228615251467:role/tarmak-vault base_path=\"/\"\n\nCreate some templates (see the section below for more information):\n\n    vault write auth/tarmak/template/vault-test/test-policy template='path \"secret/*\" { capabilities = [\"create\"] } path \"secret/foo\" { capabilities = [\"read\"] }' type=policy path=\"sys/policy\"\n    vault write auth/tarmak/template/vault-test/test-pki template='{\"allowed_domains\": [\"{{ .FQDN }}\"], \"allow_subdomains\": true}' type=generic path=\"pki/roles\"\n\nGet a token:\n\n    vault write auth/tarmak/login pkcs7=\"$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)\" role=vault-test\n\nTemplates\n---------\n\nTemplates are processed using go's templating langauge, with the following variables supported:\n\n- `{{ .InstanceHash }}`: the ID of the requesting instance (e.g `i-0f7ebb331c89ed78c`)\n- `{{ .FQDN }}`: the private DNS name of the requesting instance (e.g. `ip-172-31-19-213.eu-west-1.compute.internal`)\n- `{{ .InternalIPv4 }}`: the private IP address of the requesting instance\n- `{{ .BasePath }}`: the `base_path` set on the role used\n- `{{ .OutputPath }}`: the `path` set on the template\n- `{{ .TemplateName }}`: the name of the template\n\nThese templates will be rendered to `{{.BasePath}}/{{.OutputPath}}/{{.TemplateName}}-{{.InstanceHash}}` in vault.\n\n### policy\n\nTemplates with `type=policy` are parsed and processed in HCL. See [this page](https://www.vaultproject.io/docs/concepts/policies.html#policy-syntax) for details.\n\n### generic\n\nTemplates with `type=generic` are specified in JSON format, and are processed as generic vault secrets.\nAlthough being intended to configure PKI roles, they could be used for other purposes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fvault-plugin-auth-templated-aws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fvault-plugin-auth-templated-aws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fvault-plugin-auth-templated-aws/lists"}