AWS Vault

The aws-vault command line tool is a utility for securely storing and accessing encrypted AWS credentials for local development environments. It makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.

The aws-vault command line tool by 99 Designs is a utility for securely storing and accessing encrypted AWS credentials for use in development environments. This tool makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.

Info

aws-vault has no relationship to the HashiCorp Vault.

Features:

Note

This has been incorporated into our latest release of geodesic.

Installation

You can install aws-vault locally, allowing you to authorize to AWS and perform AWS cli actions.

OSX Installation

brew cask install aws-vault

Linux Installation (binary)

Download the precompiled binary from the GitHub releases page, unless a package exists for your distro.

sudo curl -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/download/v4.2.0/aws-vault-linux-amd64
sudo chmod 755 /usr/local/bin/aws-vault

Local Configuration

We recommend using the file type backend for aws-vault because this is compatible with Linux, which is needed for Geodesic sessions.

Add the following to your ~/.bashrc:

export AWS_VAULT_BACKEND="file"

Then source ~/.bashrc to update your current session.

  1. Generate IAM Access Key ID/Secret on your AWS root account via IAM management page in the AWS Console.

Important

Do not define the source profile in ~/.aws/credentials; we’re going to use aws-vault add for that.

  1. Using the IAM Access Key ID/Secret generated in Step 1, add the source_profile:

    $ aws-vault add example
  2. Add the source_profile created in Step 2 to your ~/.aws/config.

    [profile example]
    region=us-west-2
    
  3. Setup your ~/.aws/config by adding a profile entry for each AWS account:

    Important

    Remember to replace the $aws_account_ids with your account ids and [email protected] with your IAM username below. We recommend using email addresses for all IAM user accounts associated with human users.

    [profile example-staging-admin]
    region=us-west-2
    role_arn=arn:aws:iam::$aws_account_id_for_staging:role/OrganizationAccountAccessRole
    mfa_serial=arn:aws:iam::$aws_account_id_for_root:mfa/[email protected]
    source_profile=example
    
  4. Test that it is all set up properly:

    $ aws-vault login example-staging-admin
    

This should open a browser and log you into the AWS console as the assumed role example-staging-admin.

Using with Geodesic

aws-vault is available in the geodesic shell. To start the shell, run:

> $CLUSTER_NAME

Add your profile to AWS Vault

Now we are ready to configure your AWS credentials. To add your AWS credentials to the encrypted vault run the following command. Remember to replace example with your source profile name.

aws-vault add example

Troubleshooting

Most problems stem from misconfiguration.

If using --server mode, ensure the following credentials are not exported:

Important

Since running aws-vault using --server binds to the 169.254.169.254 local ip address to mock the AWS metadata server, you can run only one process per host machine. More info can be found here.

Use unset to delete each of the above variables from your environment and ensure they aren’t exported in your ~/.bashrc or ~/.profile.

References