Skip to content

Latest commit

 

History

History
66 lines (46 loc) · 2.25 KB

README.md

File metadata and controls

66 lines (46 loc) · 2.25 KB

VaultWarden on AWS

This solution deploys the VaultWarden solution on AWS using ECS, Fargate and EFS.

Pre requisities

  • AWS CLI
  • Python > 3.7
  • An AWS S3 bucket for the CloudFormation Assets to be uploaded to.
  • An AWS ACM Public SSL Certificate for the Domain to be used.
  • AWS SES configured to be able to send from one validated email address

Deployment

aws cloudformation package --template-file template.yaml --s3-bucket {YOUR S3 BUCKET} --output-template-file packaged-template.yaml

Note: Make sure to replace {YOUR S3 BUCKET} with the name of your own S3 bucket.

You can then navigate to the AWS CloudFormation console in the same region and deploy a new stack by specifying the packaged-template.yaml file that was just created/

Access

Once the stack deployment is complete you will see two outputs:

  • LoadBalancerDNSName
  • AdminTokenSecretId

Create a new CNAME entry in your DNS provider using the LoadBalancerDNSName value and the DomainName you chose.

Once DNS has been propagated you should be able to access the Web Interface at: https://{DOMAINNAME}

Admin Panel

The Admin Panel of VaultWarden is blocked by the WAF deliberately.

Access can be gained at http://{ecs task private IP}/admin

The Admin Token can be found in Secrets Manager, the Secret Arn is shown in the AdminTokenSecretId output.

Note: To gain access you will need to do so from a resource that has private IP access and update the ECS security group.

Optional backup module

An optional backup module can be deployed, a lambda function is scheduled and triggered daily , zips the content of the EFS mount point and writes it to a given S3 location. A S3 bucket policy needs to be manually created following the bellow example:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "Replace with value obtained from Cfn Output RoleArnForBackupBucketPolicy" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-bucket-name/*" } ] }