How do I easily manage all my AWS credentials with AWS-Vault
Wether you are a consultant working with multiple clients or a devops in a company working on different projects with different stages, you surely have to deal with several AWS users credentials.
aws-cli allows you to create different profiles for storing them but today I'd like to introduce a small tool which is super useful, super easy to install and one that I use in my daily work. Here comes aws-vault.
What does aws-vault bring to the table?
The github repo is the best source to follow the evolution of this tool but here is a resume. Aws-vault is a tool to store and manage your AWS credentials easily and securely.
Encrypted storage
Usually when you configure a new user with aws configure
it adds credentials in ~/.aws/credentials
and creates a new profile in ~/.aws/profile
The first issue with this is that it leaves your access and secret keys in clear. Aws-vault use different backends according to your OS to store your credentials in a secure way.
Ease of use
Usually you can switch of profile wether by using the — profile
param or by setting the AWS_PROFILE
environment variable.
aws-vault exec profile -- bash
that's all what you need to spawn a new bash configured with the profile you want. It sets all the necessary environment variables for you.
Compatibility
The cool thing with this tool is that it doesn't replace your config file, it adds a new layer on top of it, so your previous config will still work. That's why 2FA also works and here is how I configure it.
[profile client1]
region=ca-central-1
mfa_serial=arn:aws:iam::43671704xxxx:mfa/sylvain.witmeyer@company.com[profile backup]
region=ca-central-1
role_arn=arn:aws:iam::43671704xxxx:role/Backup
source_profile=client1
Temporary token
Another really nice feature is that aws-vault doesn't inject your access and secret keys into the subshell. It's way smarter and use AWS Security Token Service (STS) to generate a temporary token. It means your credentials don't leaked even in the new shell.
Credential Rotation
That's the cherry on the sundae, we know that we have to rotate our credentials often, but honestly how often do you rotate them ? The process is a bit tedious: create new keys, update your aws-cli, disable the previous ones. Now all of this can be done with a one liner aws-vault rotate profile
Isn't that an easy way to greatly improve the security of your credentials ?
Benefits
- storage of credentials are encrypted
- compatible with previous config
- works with 2FA
- rotate credentials
- super easy to use
How I use it
I often use it from the terminal but I want to show you how I use it in all my Terraform projects for example. After adding a new profile in my vault, I create a makefile to simplify the usage
Tips
If you have nested subshells, you can use this useful command echo $SHLVL
to display how deep you are.
Conclusion
I discovered aws-vault about 1 year ago and I have around 20 accounts configured now. It really saves me a lot of time and I really like the ability to rotate the credentials with a one liner.
I don't really see any drawbacks to use it and maybe this is why this tool has been adopted by most of the people I have introduced it to.