Skip to main content
StuffAbout.Cloud StuffAbout.Cloud

AWS Vault

· 0 · 0 ·
AWS
Table of Contents

Let me tell you about a neat little tool I recently discovered to make AWS logins easier. Its called AWS Vault, its developed by a third party named 99Designs. The link to the GitHub repository is here.
AWS Vault allows you to store IAM credentials to your OS keystore and then generates temporary credentials from those to use for your chosen shell. I myself use Windows and Powershell.
Here is a run through on the install process I followed. Make sure you already have AWS CLI installed as the profile and configurations located in ~/.aws/config are used as part of AWS Vaults configuration.

Install Chocolatey>

Install Chocolatey #

There are a number of different ways to install AWS Vault, with one of them using Chocolatey. I have seen many references to Chocolatey that I decided this approach would be the most useful for myself.
Its a simple one liner to get installed in Powershell:

Set-ExecutionPolicy Bypass -Scope Process -Force [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Install AWS Vault>

Install AWS Vault #

Next we need to simply run the following command in Powershell to install AWS Vault

choco install aws-vault
Configuring AWS Vault>

Configuring AWS Vault #

Now run the command to add IAM credentials to the credential store. This will prompt you for the Access and Secret key for your IAM user, this only shows once on screen from the AWS console so you may need to create new a new keyset

aws-vault add <myiamuser>
Enter Access Key ID: XXXXXXXXXX
Enter Secret Key: XXXXXXXXXXXXX

Now you should be all set to utilise the convenience of store credentials

For me, the biggest feature is the ability to login to the AWS console as any of your saved users
For example, I run aws-vault login will from powershell which logs me in to the AWS console for a short period of time, enough for me to complete anything I may need.
I have recently started using AWS SAM to wrap around some CloudFormation code I have been playing with, all I need to do to deploy my updates is type aws-vault exec will --no-session -- sam deploy and the job is done, no credentials needed!

How it works>

How it works #

AWS Vault uses Amazon’s STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.