Authenticate with AWS inside Geodesic using
Learn how to authenticate within Geodesic using AWS IAM Credentials and
In this how-to, we’ll provide a quick step-by-step guide on authenticating with AWS inside Geodesic.
You’ll need to have an AWS Account with the ability to create credentials and have Docker installed on your local machine. That’s all.
We expect you’ve gone through the tutorial on “Getting started with Geodesic” prior to this How-To since that contains some important understanding of what Geodesic is, how it works, and what it’s doing.
1. Install and start Geodesic
First, at your terminal, let’s install Geodesic!
docker run cloudposse/geodesic:latest-debian | bash
This will install Geodesic as a script at
/usr/local/bin/geodesic, which you can then invoke like so:
This small script is just a wrapper around running Geodesic via
docker with a couple extra options (like mounting
/localhost). It should drop you into the Geodesic shell like you would expect.
2. Authenticate with AWS + aws-vault
Geodesic ships with
aws-vault to help manage our credentials and retrieve access tokens from AWS to provide us with authenticated sessions. To set up a new profile, first create a new IAM user and programmatic Access Key ID and Secret Key and be sure to copy those values down somewhere. Now, in your Geodesic shell, let’s do the following:
# Since our Geodesic shell is on Linux, let's use the file backend which Linux supports. # NOTE: It's not possible to use the OSX Keychain with `aws-vault` running inside of a Docker container. export AWS_VAULT_BACKEND=file # Add our new credentials to aws-vault under whatever profile name you would like. i.e. replace $YOUR_PROFILE_NAME # This will prompt you for the Access Key ID and Secret Key that you copied down earlier, which you should input. aws-vault add $YOUR_PROFILE_NAME
Now we’ve added our credentials to
aws-vault and we can easily use
aws-vault exec to execute an authenticated command on the AWS CLI like so:
# List all the buckets in your account: aws-vault exec $YOUR_PROFILE_NAME -- aws s3 ls # Or get some information on your user: aws-vault exec luke.skywalker -- aws sts get-caller-identity
3. Start a AWS Profile Session
That’s cool… but what about if you want to start a full blown session as the profile you added so you don’t need to keep typing
aws-vault exec? Well, Geodesic comes bundled with a handy
assume-role utility that you can use to do that. First though, we need to update our
/localhost/.aws/config file to support
aws-vault. To do that, on your local machine, open up
$HOME/.aws/config with your favorite editor and add the following config entry:
# ... your existing AWS Config file contents ... [profile $YOUR_PROFILE_NAME] credential_process = aws-vault exec $YOUR_PROFILE_NAME --json
Great, now that we’ve set that up, our profile is ready to use with our
# Now we run `assume-role` with our newly created profile and this will start a new shell session which is authenticated as that profile for us. assume-role $YOUR_PROFILE_NAME # We should now see our profile name in our command line prompt and we can now run our AWS CLI # commands without having to manually invoke `aws-vault exec` each time aws s3 ls aws sts get-caller-identity
Here is a simple use-case of setting up a set of AWS credentials within Geodesic, but there is plenty more you can do here since Geodesic also comes bundled with
aws-google-auth. Use what works for you and your organization!