This solution deploys the VaultWarden solution on AWS using ECS, Fargate and EFS.
- AWS CLI
- Python > 3.7
- An AWS S3 bucket for the CloudFormation Assets to be uploaded to.
- An AWS ACM Public SSL Certificate for the Domain to be used.
- AWS SES configured to be able to send from one validated email address
aws cloudformation package --template-file template.yaml --s3-bucket {YOUR S3 BUCKET} --output-template-file packaged-template.yamlNote: Make sure to replace
{YOUR S3 BUCKET}with the name of your own S3 bucket.
You can then navigate to the AWS CloudFormation console in the same region and deploy a new stack by specifying the packaged-template.yaml file that was just created/
Once the stack deployment is complete you will see two outputs:
- LoadBalancerDNSName
- AdminTokenSecretId
Create a new CNAME entry in your DNS provider using the LoadBalancerDNSName value and the DomainName you chose.
Once DNS has been propagated you should be able to access the Web Interface at: https://{DOMAINNAME}
The Admin Panel of VaultWarden is blocked by the WAF deliberately.
Access can be gained at http://{ecs task private IP}/admin
The Admin Token can be found in Secrets Manager, the Secret Arn is shown in the AdminTokenSecretId output.
Note: To gain access you will need to do so from a resource that has private IP access and update the ECS security group.
An optional backup module can be deployed, a lambda function is scheduled and triggered daily , zips the content of the EFS mount point and writes it to a given S3 location. A S3 bucket policy needs to be manually created following the bellow example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "Replace with value obtained from Cfn Output RoleArnForBackupBucketPolicy" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-bucket-name/*" } ] }