Manage AWS Service Accounts
These CLI commands can be used to manage service accounts that use the SecretHub AWS Identity Provider. For details about the Identity Provider, see the AWS Integration Reference.
To manage AWS service accounts, you can use the following commands:
service aws init- create a new aws service account
service aws ls- list all aws service accounts for a repository
To create a new service account that uses the AWS identity provider, you can use:
secrethub service aws init [options] <namespace>/<repo>
Note that the CLI requires encryption rights on the KMS key that will be used by the service account, so AWS credentials should be configured on the system you run this command. For details on how this can be done, see the AWS CLI documentation.
If no system-wide default for the AWS region is provided (e.g. with
$AWS_REGION), the AWS-region where the KMS key resides should be explicitly provided to this command with the
- The service account is attached to this repository.
- The ID or ARN of the KMS-key to be used for encrypting the service’s account key. If this value is not provided as a flag, you will be prompted for its value.
- The role name or ARN of the IAM role that should have access to this service account. If this value is not provided as a flag, you will be prompted for its value.
- The AWS region that should be used for KMS. Only required if the region cannot be determined from the system-wide AWS configuration or the KMS-key ARN. If this value is not provided as a flag and is required, you will be prompted for its value.
- A description for the service.
- Create an access rule giving the service account permission on a directory.
Accepted permissions are
--permission <permission>to give permission on the root of the repo and
--permission <subdirectory>:<permission>to give permission on a subdirectory.
To list all AWS service accounts attached to a repository, you can use the
service aws ls command:
secrethub service aws ls [options] <namespace>/<repo>
service aws ls command prints out the details of all services, including the IAM Role and KMS Key they use.
- The repository to list service accounts for.
- Only print service IDs.
- Show timestamps formatted to RFC3339 instead of human readable durations.