How to use aws-vault to store your AWS credentials

October 8, 2020    Blog Post

Because anyone can access your .aws/credentials file, when it get access to your computer.

Introduction

When you use AWS CLI to talk to your AWS infrastructure, 1st thing what you have to do is add your AWS programming credentials (aws_access_key_id & aws_secret_access_key) to configuration file of your AWS CLI. Unfortunately, this configuration file is not encrypted, and anyone can read it, if they get access to your local account.

This is where aws-vault comes in handy.

Installation

Installation is quite simple and well described on the project’s GitHub page.

I did my installation by downloading binary file from GitHub release folder , renamed it to aws-vault and copied to my local ~/bin directory.

After successful installation, I checked if aws-vault starts without issues:

$ aws-vault --version
v6.2.0

Configuration

aws-vault will use your AWS CLI configuration file ~/.aws/config to load the AWS configuration. All your config and profiles from this configuration file will be imported into aws-vault. For example:

[profile admin]
region=eu-west-1
output=text

[profile order-dev]
region=eu-west-2
output=json

[profile order-staging-admin]
include_profile = admin
role_arn=arn:aws:iam::123456789:role/administrators

will be imported into aws-vault as:

$ aws-vault list
Profile                  Credentials              Sessions                 
=======                  ===========              ========                 
admin                    admin                    -                        
order-dev                order-dev                -                        
order-staging-admin      order-staging-admin      -

Now we have 3 profiles and we have to add credentials for them by using command aws-vault profile:

$ aws-vault add admin
Enter Access Key ID: ABDCDEFDASDASF
Enter Secret Access Key: %
Added credentials to profile "admin" in vault

Credentials are securely stored in one of the Vaulting Backends available on your system. My system uses GnomeKeyring for store secrets, passwords, keys, certificates, and using Seahorse application, I can check what credentials are stored in awsvault Keychain.

Usage

We have a lot of profiles and credentials that are safely stored in the GnomeKeyring and now we can use them with AWS CLI or Terraform.

We can directly tell your application to use the credentials provided by aws-vault:

$ aws-vault exec admin -- aws s3 ls
bucket_1
bucket_2

or use the .aws / credential file to tell the application how to get the aws credentials for a specific profile. To do this, create a new .aws/credential file and add:

[admin]
credential_process = aws-vault exec admin --no-session --json

With this configuration in place, we can run our aws s3 ls command without the aws-vault at front:

$ aws --profile admin s3 ls
bucket_1
bucket_2

It also works with the profile defined in the Terraform code.

More information on setup and usage can be found in the project’s Github repository, which you should definitely look at.

Related Posts
May 23, 2023
Blocking access to Postfix SMTP service based on IP reputation
March 3, 2023
Informal acme.sh DNS API plugin for Crazy Domain DNS provider
February 27, 2023
Blocking access to Postfix SMTP service by ASN