How do I easily manage all my AWS credentials with AWS-Vault

Sylvain Witmeyer
3 min readAug 10, 2020

--

Wether you are a consultant working with multiple clients or a devops in a company working on different projects with different stages, you surely have to deal with several AWS users credentials.

aws-cli allows you to create different profiles for storing them but today I'd like to introduce a small tool which is super useful, super easy to install and one that I use in my daily work. Here comes aws-vault.

What does aws-vault bring to the table?

The github repo is the best source to follow the evolution of this tool but here is a resume. Aws-vault is a tool to store and manage your AWS credentials easily and securely.

Encrypted storage

Usually when you configure a new user with aws configure it adds credentials in ~/.aws/credentials and creates a new profile in ~/.aws/profile

The first issue with this is that it leaves your access and secret keys in clear. Aws-vault use different backends according to your OS to store your credentials in a secure way.

Ease of use

Usually you can switch of profile wether by using the — profile param or by setting the AWS_PROFILE environment variable.

aws-vault exec profile -- bash that's all what you need to spawn a new bash configured with the profile you want. It sets all the necessary environment variables for you.

Compatibility

The cool thing with this tool is that it doesn't replace your config file, it adds a new layer on top of it, so your previous config will still work. That's why 2FA also works and here is how I configure it.

[profile client1]
region=ca-central-1
mfa_serial=arn:aws:iam::43671704xxxx:mfa/sylvain.witmeyer@company.com

[profile backup]
region=ca-central-1
role_arn=arn:aws:iam::43671704xxxx:role/Backup
source_profile=client1

Temporary token

Another really nice feature is that aws-vault doesn't inject your access and secret keys into the subshell. It's way smarter and use AWS Security Token Service (STS) to generate a temporary token. It means your credentials don't leaked even in the new shell.

Credential Rotation

That's the cherry on the sundae, we know that we have to rotate our credentials often, but honestly how often do you rotate them ? The process is a bit tedious: create new keys, update your aws-cli, disable the previous ones. Now all of this can be done with a one liner aws-vault rotate profile

Isn't that an easy way to greatly improve the security of your credentials ?

Benefits

  • storage of credentials are encrypted
  • compatible with previous config
  • works with 2FA
  • rotate credentials
  • super easy to use

How I use it

I often use it from the terminal but I want to show you how I use it in all my Terraform projects for example. After adding a new profile in my vault, I create a makefile to simplify the usage

Tips

If you have nested subshells, you can use this useful command echo $SHLVL to display how deep you are.

Conclusion

I discovered aws-vault about 1 year ago and I have around 20 accounts configured now. It really saves me a lot of time and I really like the ability to rotate the credentials with a one liner.

I don't really see any drawbacks to use it and maybe this is why this tool has been adopted by most of the people I have introduced it to.

--

--