@innovationson/cdk-iamuserwithaccesskey
Version:
Creating an IAM user with access key stored in Secrets manager
85 lines (57 loc) • 2.01 kB
Markdown
[] L3 construct for managing IAM Users with static credentials.
CDK does not support creating Access Keys, so this construct helps you to do it correctly. It creates three resources:
- An IAM User
- An Access Key
- A Secrets Manager Secret
You should only use this for technical access to AWS APIs. Not for personal user accounts.
When using projen add the following to your .projenrc:
```js
deps: ['@innovationson/cdk-iamuserwithaccesskey@^1.0.0'],
```
```bash
yarn add --dev @innovationson/cdk-iamuserwithaccesskey
npm install @innovationson/cdk-iamuserwithaccesskey --save-dev
```
```typescript
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { IamUserWithAccessKey } from '@innovationson/cdk-iamuserwithaccesskey';
import { Construct } from 'constructs'
export class MyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps = {}) {
super(scope, id, props);
new IamUserWithAccessKey(this, 'myUser', {
userName: 'markus',
});
}
}
```
The AccessKey and SecretAccessKey will be stored in AWS Secrets Manager. The arn will be added as a cfn Output.
To download the details via AWS cli you can run:
```bash
aws secretsmanager get-secret-value \
--secret-id $secretId \
--query SecretString \
--output text
```
TBD
Secrets in the AWS Secrets Manager by default are encrypted with the key `alias/aws/secretsmanager`.
To use a custom KMS key you can pass it to the user:
```typescript
const kmsKey = new kms.Key(this, 'KMS-key');
new IamUserWithAccessKey(this, 'myUser', {
userName: 'markus',
encryptionKey: kmsKey,
});
```
This KMS key needs to be created in the same stack. You cannot use a key imported via ARN, because the keys access policy will need to be modified.
[]: https://aws.amazon.com/cdk/