AWS Vault

The aws-vault is a command line tool for securely storing and accessing encrypted AWS credentials for local development environments. It makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.

The aws-vault by 99 Designs is a vault for securely storing and accessing encrypted AWS credentials for use in development environments. This tool makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.

Info

The aws-vault has no relationship to the HashiCorp Vault.

Features:

Note

This has been incorporated into our latest release of geodesic.

Installation

You can install AWS Vault on local allow you to authorize on aws and preform aws cli requrests from host computer

OSX Installation

brew cask install aws-vault

Linux Installation (binary)

Download the precompiled binary from the GitHub releases page, unless a package exists for your distro.

sudo curl -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/download/v4.2.0/aws-vault-linux-amd64
sudo chmod 755 /usr/local/bin/aws-vault

Local Configuration

Setup your ~/.aws/config by adding a profile entry for each AWS account.

Here’s an example of how we do it:

[profile cloudposse-dev-admin]
region=us-west-2
role_arn=arn:aws:iam::29013231371:role/OrganizationAccountAccessRole
mfa_serial = arn:aws:iam::313021614177:mfa/[email protected]
source_profile=cloudposse

Important

Do not define the source profile in ~/.aws/credentials; we’re going to use aws-vault add for that.

We recommend using the file type backend for aws-vault because this is compatible with Linux, which is needed for Geodesic sessions.

Add the following to your ~/.bashrc:

export AWS_VAULT_BACKEND="file"

Then source ~/.bashrc to update your current session.

Using with Geodesic

AWS Vault available in the geodesic shell - just connect to that shell by running

> $CLUSTER_NAME

Add your profile to AWS Vault

Now we are ready to configure your AWS credentials. To add your AWS credentials to the encrypted vault run the following command. Remember to replace example with your source profile name.

aws-vault add example

Trouble Shooting

Most problems are related to your environment settings.

If using --server mode, make sure you do not have credentials exported:

References