Because anyone can access your
.aws/credentials
file, when it get access to your computer.
When you use AWS CLI to talk to your AWS infrastructure, 1st thing what you have to do is add your AWS programming credentials (aws_access_key_id & aws_secret_access_key) to configuration file of your AWS CLI. Unfortunately, this configuration file is not encrypted, and anyone can read it, if they get access to your local account.
This is where aws-vault comes in handy.
Installation is quite simple and well described on the project’s GitHub page.
I did my installation by downloading binary file from GitHub release folder , renamed it to aws-vault
and copied to my local ~/bin
directory.
After successful installation, I checked if aws-vault starts without issues:
$ aws-vault --version
v6.2.0
aws-vault will use your AWS CLI configuration file ~/.aws/config
to load the AWS configuration. All your config and profiles from this configuration file will be imported into aws-vault. For example:
[profile admin]
region=eu-west-1
output=text
[profile order-dev]
region=eu-west-2
output=json
[profile order-staging-admin]
include_profile = admin
role_arn=arn:aws:iam::123456789:role/administrators
will be imported into aws-vault as:
$ aws-vault list
Profile Credentials Sessions
======= =========== ========
admin admin -
order-dev order-dev -
order-staging-admin order-staging-admin -
Now we have 3 profiles and we have to add credentials for them by using command aws-vault profile
:
$ aws-vault add admin
Enter Access Key ID: ABDCDEFDASDASF
Enter Secret Access Key: %
Added credentials to profile "admin" in vault
Credentials are securely stored in one of the Vaulting Backends
available on your system. My system uses GnomeKeyring for store secrets, passwords, keys, certificates, and using Seahorse application, I can check what credentials are stored in awsvault
Keychain.
We have a lot of profiles and credentials that are safely stored in the GnomeKeyring and now we can use them with AWS CLI or Terraform.
We can directly tell your application to use the credentials provided by aws-vault
:
$ aws-vault exec admin -- aws s3 ls
bucket_1
bucket_2
or use the .aws / credential
file to tell the application how to get the aws credentials for a specific profile. To do this, create a new .aws/credential
file and add:
[admin]
credential_process = aws-vault exec admin --no-session --json
With this configuration in place, we can run our aws s3 ls
command without the aws-vault
at front:
$ aws --profile admin s3 ls
bucket_1
bucket_2
It also works with the profile defined in the Terraform code.
More information on setup and usage can be found in the project’s Github repository, which you should definitely look at.