smallstep · leonweecs · Aug 28, 2024
@@ -559,27 +559,45 @@ Here are the `config` options for `vaultcas` authorities:
 
 - **pkiRoleEd25519**: the pki role used to issue Ed25519 certificates, defaults to *pkiRoleDefault*
 
-- **authType**: required. the authentication method used to login to the vault, one of `approle` or `kubernetes`
+- **authType**: required. the authentication method used to login to the vault, one of `approle`, `kubernetes` or `aws`
 
 - **authMountPath**: the vault mount path for the auth method you want to use, if not set the default mount path for that auth type is used (usually the same name as the auth method)
 
 - **namespace**: optional. if using Vault Enterprise, the [namespace](https://developer.hashicorp.com/vault/docs/enterprise/namespaces) to which requests should be scoped. Note: this value will apply to both the `pkiMountPath` and the `authMountPath`, effectively prefixing them
 
 - **authOptions**: required. a set of options specific to the selected auth method type
 
-  - **roleID**: [authType=`approle`] required. the approle role-id to use
+  - For [authType=`approle`]:
 
-  - **secretID**: [authType=`approle`] the approle secret-id to use
+    - **roleID**: required. the approle role-id to use
 
-  - **secretIDFile**: [authType=`approle`] the path to a file containing a secret-id (recommended method in production environments)
+    - **secretID**: the approle secret-id to use
 
-  - **secretIDEnv**: [authType=`approle`] the name of an environment variable that contains the secret-id
+    - **secretIDFile**: the path to a file containing a secret-id (recommended method in production environments)
 
-  - **isWrappingToken**: [authType=`approle`] set true if the secret-id is wrapped
+    - **secretIDEnv**: the name of an environment variable that contains the secret-id
 
-  - **role**: [authType=`kubernetes`] required. the kubernetes role to use
+    - **isWrappingToken**: set true if the secret-id is wrapped
+
+  - For [authType=`kubernetes`]:
 
-  - **tokenPath**: [authType=`kubernetes`] the path to a token used to authenticate (default to the service account token path in a k8s pod)
+    - **role**: required. the kubernetes role to use
+
+    - **tokenPath**: the path to a token used to authenticate (default to the service account token path in a k8s pod)
+
+  - For [authType=`aws`]:
+
+    - **role**: required. the AWS role to use
+
+    - **awsAuthType**: required. the AWS authentication type to use, one of `iam` or `ec2`
+
+    - **region**: optional. the AWS region to use
+
+    - **iamServerIdHeader**: [awsAuthType=`iam`] optional. the additional header sent to Vault to mitigate replay attack
+
+    - **signatureType**: [awsAuthType=`ec2`] optional. the type of signature used to verify EC2 auth logins, one of `pkcs7`, `identity`, or `rsa2048`
+
+    - **nonce**: [awsAuthType=`ec2`] optional. the nonce sent to Vault to mitigate replay attack, a randomly generated nonce will be used if not provided
 
 Finally, remove the `"root"`, `"key"`, and `"crt"` values from your `$(step path)/config/ca.json`, and the associated files. These are generated by `step ca init` but are not used by RA servers.