aws-vault command line tool is a utility for securely storing and accessing encrypted AWS credentials for local development environments. It makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.
aws-vault command line tool by 99 Designs is a utility for securely storing and accessing encrypted AWS credentials for use in development environments. This tool makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.
aws-vault has no relationship to the HashiCorp Vault.
- Encrypted vault for IAM credentials (OSX KeyChain or file)
- IAM Metadata server (mocks the EC2 API) to simulate instance profiles for local development
- Prompts for MFA Token
- Variable-length session TTLs
- Compatible with
- Automatic logins to AWS Web Console
This has been incorporated into our latest release of geodesic.
You can install
aws-vault locally, allowing you to authorize to AWS and perform AWS cli actions.
brew cask install aws-vault
Linux Installation (binary)
Download the precompiled binary from the GitHub releases page, unless a package exists for your distro.
sudo curl -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/download/v4.2.0/aws-vault-linux-amd64 sudo chmod 755 /usr/local/bin/aws-vault
We recommend using the
file type backend for
aws-vault because this is compatible with Linux, which is needed for Geodesic sessions.
Add the following to your
source ~/.bashrc to update your current session.
- Generate IAM Access Key ID/Secret on your AWS root account via IAM management page in the AWS Console.
Do not define the source profile in
~/.aws/credentials; we’re going to use
aws-vault add for that.
Using the IAM Access Key ID/Secret generated in Step 1, add the
$ aws-vault add example
source_profilecreated in Step 2 to your
[profile example] region=us-west-2
~/.aws/configby adding a profile entry for each AWS account:
Remember to replace the
$aws_account_ids with your account ids and
[email protected]with your IAM username below. We recommend using email addresses for all IAM user accounts associated with human users.
[profile example-staging-admin] region=us-west-2 role_arn=arn:aws:iam::$aws_account_id_for_staging:role/OrganizationAccountAccessRole mfa_serial=arn:aws:iam::$aws_account_id_for_root:mfa/[email protected] source_profile=example
Test that it is all set up properly:
$ aws-vault login example-staging-admin
This should open a browser and log you into the AWS console as the assumed role
Using with Geodesic
aws-vault is available in the geodesic shell. To start the shell, run:
Add your profile to AWS Vault
Now we are ready to configure your AWS credentials. To add your AWS credentials to the encrypted vault run the following command. Remember to replace
example with your source profile name.
aws-vault add example
Most problems stem from misconfiguration.
- Do not define a
- Do not set
- Do not set
--server mode, ensure the following credentials are not exported:
--server binds to the
169.254.169.254 local ip address to mock the AWS metadata server, you can run only one process per host machine. More info can be found here.
unset to delete each of the above variables from your environment and ensure they aren’t exported in your