Excellent video, George! I was looking for Creating AWS resources keeping the secrets in Vault. I found your this video. It's really helpful. Thanks so much!! In this video, you mentioned previous episode, episode 13, but I could not locate them in your channel. Can you please clarify how I can locate them. I am following the play list 'Writing Infrastructure As Code' which has only 7 videos.
Hi Rafiq. Thank you for those nice words. Glad to hear this video helps. I re-watched the video and i think i was referring to this when i said previous video: th-cam.com/video/4uhadNFN0n8/w-d-xo.html I will try to update this one to have better link references.
2:54 I have ec2 instance on aws with vault on it. What should I write in the "name" attribute? Also I have removed the aws credential fields because I have them set in the environement.
Hi Jack, I stored the vault token in systems manager so it all depends on what name you use if you follow the same approach. This is the token used to integrate terraform with vault.
I used ssm because i need to store the token i will use to create the terraform resources inside vault that will allow me to store and manage secrets. Imagine you are setting up the resources manually inside vault. For you to be able to go inside vault and do anything, you need a token to login to the vault system. This is essentially what is happening at th-cam.com/video/3yU0BRbANs0/w-d-xo.html. The token is what i am storing in SSM. Hope this helps clarify things.
@@pablosspot if you have already had aws ssm which can be used to store the token, why you still need another vault system to store aws token? what's the usage for your vault in your video?
Thank you@@ChenruLyu for your question. The short answer is the vault system is used to generate short-lived AWS access credentials. The long answer: This episode contains two parts - The first part is from the start all the way to 9:01 which contains steps to setup the vault infrastructure. After 9:01, I described the steps to use the newly created vault infrastructure to generate AWS credentials that I can use to stand up my AWS infrastructure. You can definitely use AWS SSM to store tokens. But for you to be able to access these values, you still need to have AWS credentials (aws access key and secrets) to be able to fetch the values from AWS SSM. Hopefully this helped. Happy to clarify if anything does not make sense.
Hi @Pablo's Spot thank for awesome video.! While i am implementing same code over my infra. I got issues with Error: Error describing SSM parameter (/app/vault/token): ParameterNotFound: │ │ with data.aws_ssm_parameter.token, │ on data.tf line 1, in data "aws_ssm_parameter" "token": │ 1: data "aws_ssm_parameter" "token" { same for access_key and secret_key. afteer setting local in terraform general local exeuation role. Can you help with me. Thanks
Hi Mahesh, You can do this two ways: 1) You can login to your aws web console and go to parameter store in AWS Systems Manager and create the missing parameter “/app/vault/token” … OR … 2) You may want to change the data reference to a resource so the parameter store entry gets created.
Hi Pablo , I face below issue while trying to get access key and secret key of aws from hashicorp vault in terraform Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: eb4f56b2-30ea-4429-aba3-94093582c162, api error InvalidClientTokenId: The security token included in the request is invalid. │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on awsvault.tf line 12, in provider "aws": │ 12: provider "aws" {
My first theory why this failed is because the vault integration access key and secret are not right. This is the one that is setup at 3:40 to 4:18. Could you check if the access key and secret you used here are correct please?
Sorry i might have misunderstood what is happening but to confirm, you already have setup aws in vault and you are trying to use the generated access key and secret to stand up your infrastructure. is this correct ?
Hi George, what an excellent video you have here. I was looking hard for a complete IAC setup and your video saved the week.
I've just discovered your channel man. Good work I love this. I'm here to stay.
Thanks for posting
Great work. Love the channel
Excellent video, George! I was looking for Creating AWS resources keeping the secrets in Vault. I found your this video. It's really helpful. Thanks so much!! In this video, you mentioned previous episode, episode 13, but I could not locate them in your channel. Can you please clarify how I can locate them. I am following the play list 'Writing Infrastructure As Code' which has only 7 videos.
Hi Rafiq. Thank you for those nice words. Glad to hear this video helps.
I re-watched the video and i think i was referring to this when i said previous video:
th-cam.com/video/4uhadNFN0n8/w-d-xo.html
I will try to update this one to have better link references.
@@pablosspot Thank you for the prompt response. That helps.
2:54
I have ec2 instance on aws with vault on it.
What should I write in the "name" attribute?
Also I have removed the aws credential fields because I have them set in the environement.
Hi Jack,
I stored the vault token in systems manager so it all depends on what name you use if you follow the same approach. This is the token used to integrate terraform with vault.
Hi,
You used ssm because you will now create and manage resources through it on aws and the vault can be used to manage secrets with them?
I used ssm because i need to store the token i will use to create the terraform resources inside vault that will allow me to store and manage secrets.
Imagine you are setting up the resources manually inside vault. For you to be able to go inside vault and do anything, you need a token to login to the vault system. This is essentially what is happening at th-cam.com/video/3yU0BRbANs0/w-d-xo.html. The token is what i am storing in SSM.
Hope this helps clarify things.
@@pablosspot if you have already had aws ssm which can be used to store the token, why you still need another vault system to store aws token? what's the usage for your vault in your video?
Thank you@@ChenruLyu for your question. The short answer is the vault system is used to generate short-lived AWS access credentials.
The long answer: This episode contains two parts - The first part is from the start all the way to 9:01 which contains steps to setup the vault infrastructure. After 9:01, I described the steps to use the newly created vault infrastructure to generate AWS credentials that I can use to stand up my AWS infrastructure.
You can definitely use AWS SSM to store tokens. But for you to be able to access these values, you still need to have AWS credentials (aws access key and secrets) to be able to fetch the values from AWS SSM.
Hopefully this helped. Happy to clarify if anything does not make sense.
how can we create vm and database in aws using the yml in terraform can you help me with that.
Hi suneel,
I suggest have a look at this episode and see how you go.
th-cam.com/video/8_QSES_P67s/w-d-xo.html
Nice video thumps up Pablo. One question, apart from using terraform fmt on the terminal for your code, how did you use to format your terraform code?
Thank you :) . I use a plugin in vscode to format the code. Have a look at this.
th-cam.com/video/przZU7VBBGU/w-d-xo.html
Hi @Pablo's Spot thank for awesome video.! While i am implementing same code over my infra. I got issues with Error: Error describing SSM parameter (/app/vault/token): ParameterNotFound:
│
│ with data.aws_ssm_parameter.token,
│ on data.tf line 1, in data "aws_ssm_parameter" "token":
│ 1: data "aws_ssm_parameter" "token" { same for access_key and secret_key. afteer setting local in terraform general local exeuation role. Can you help with me. Thanks
Hi Mahesh,
You can do this two ways:
1) You can login to your aws web console and go to parameter store in AWS Systems Manager and create the missing parameter “/app/vault/token” … OR …
2) You may want to change the data reference to a resource so the parameter store entry gets created.
@@pablosspot Awesome. Thank you! Issue is resolved both ways.🙏
Hi Pablo- It is very good video, can you share the code
Working on it. Will let you know once ready.
Hi Mudduluru!
Here you go! Enjoy! :)
github.com/dyordsabuzo/pablosspot/tree/main/ep-13-iac-with-vault
Hi Pablo , I face below issue while trying to get access key and secret key of aws from hashicorp vault in terraform
Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: eb4f56b2-30ea-4429-aba3-94093582c162, api error InvalidClientTokenId: The security token included in the request is invalid.
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on awsvault.tf line 12, in provider "aws":
│ 12: provider "aws" {
My first theory why this failed is because the vault integration access key and secret are not right. This is the one that is setup at 3:40 to 4:18. Could you check if the access key and secret you used here are correct please?
@@pablosspot yes both access key and secret key are correct
Sorry i might have misunderstood what is happening but to confirm, you already have setup aws in vault and you are trying to use the generated access key and secret to stand up your infrastructure. is this correct ?