Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Full ARN for KMS and DynamoDB Table #68

Open
shleeable opened this issue Apr 18, 2017 · 1 comment
Open

Full ARN for KMS and DynamoDB Table #68

shleeable opened this issue Apr 18, 2017 · 1 comment
Assignees

Comments

@shleeable
Copy link

Hey Team,

I'm considering the option of the creation of a shared/common credstash and as such require cross-account ARNs. Unless there is a smarter way of doing this.

note: I know you can grant aliases to KMS keys cross account - but i'd rather just use the full path for my usecase.

@wolfeidau wolfeidau self-assigned this Apr 18, 2017
@bacoboy
Copy link
Contributor

bacoboy commented Jul 7, 2017

You can use cross account roles with the AssumeRole (#70) support recently added to administrate across different accounts. But in this case you want to share the storage AND keys between accounts.

Generally it is frowned upon to share KMS keys across account. This is why things like encrypted volumes/snapshot can't be shared across account for instance.

I manage multiple accounts with credstash stores and each has their own store. Use something like terraform to manage the policies and such for consistently between accounts.

You do it how you want, but if you want a central store for all secrets, you should look at something outside of IAM (that is avail on private network) like vault, chef encrypted data bags, etc...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants