aws-vault by 99 Designs is a vault for securely storing and accessing encrypted AWS credentials for use in development environments. This tool makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.
aws-vault has no relationship to the HashiCorp Vault.
- Encrypted vault for IAM credentials (OSX KeyChain or file)
- IAM Metadata server (mocks the EC2 API) to simulate instance profiles for local development
- Prompts for MFA Token
- Variable-length session TTLs
- Compatible with
- Automatic logins to AWS Web Console
This has been incorporated into our latest release of geodesic.
You can install AWS Vault on local allow you to authorize on aws and preform aws cli requrests from host computer
brew cask install aws-vault
Download the precompiled binary from the GitHub releases page, unless a package exists for your distro.
sudo curl -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/download/v4.2.0/aws-vault-linux-amd64 sudo chmod 755 /usr/local/bin/aws-vault
~/.aws/config by adding a profile entry for each AWS account.
Here's an example of how we do it:
[profile cloudposse-dev-admin] region=us-west-2 role_arn=arn:aws:iam::29013231371:role/OrganizationAccountAccessRole mfa_serial = arn:aws:iam::313021614177:mfa/[email protected] source_profile=cloudposse
Do not define the source profile in
~/.aws/credentials; we're going to use
aws-vault add for that.
We recommend using the
file type backend for
aws-vault because this is compatible with Linux, which is needed for Geodesic sessions.
Add the following to your
source ~/.bashrc to update your current session.
AWS Vault available in the geodesic shell - just connect to that shell by running
Now we are ready to configure your AWS credentials. To add your AWS credentials to the encrypted vault run the following command. Remember to replace
example with your source profile name.
aws-vault add example
Most problems are related to your environment settings.
- Make sure you do not define a
- Make sure
AWS_SDK_LOAD_CONFIGis not set
- Make sure
AWS_SHARED_CREDENTIALS_FILEis not set
--server mode, make sure you do not have credentials exported:
unsetto delete them from your environment and make sure they aren't expored in your