When QR is deployed on-prem, certain endpoints require AWS IAM credentials for an IAM user to function. Examples:
- AWS Redshift (for the S3 staging bucket)
- AWS S3
IAM user credentials are a system generated key pair, which means that both the principal and password fields need to be updated when rotation occurs. Unfortunately, not all endpoints support principal updates, and those that do usually have a static principal field that doesn't need updating. Since IAM credentials need both fields updated, endpoints should be updated to allow the secrets addon to make this change.
Ex: Hashicorp Vault
- When requesting credentials through an AWS secrets engine in Vault, a new IAM user and key-pair is generated with every call. Since this results in a new principal (access key), we cannot utilize the secrets addon with secrets stored in this location.
- If we request those same credentials through a key-value secrets engine (static key-pairs), the principal would need to be manually updated anytime that credential was rotated. This leads to a need for manual intervention within an automated process, providing a high-risk of failures for potentially critical tasks
