Protecting your AWS account access keys is critical for protecting your company's cloud infrastructure. Managing several accounts, on the other hand, can be complicated and time-consuming. aws-vault secures the storage and management of access keys for many AWS accounts.
What is AWS-Vault?
AWS Vault is a tool to securely store and access AWS credentials in a development environment.
AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools and is aware of your profiles and configuration in
The AWS-vault program generates temporary credentials using Amazon's STS service via the GetSessionToken or AssumeRole API calls. Because these temporary credentials expire in a short period, the risk of credentials leaking is decreased.
~/.aws/credentials file is typically located in the home directory of a user on a Unix-like system (such as Linux or macOS) or at
C:\Users\USERNAME\.aws\credentials on Windows and is used by the AWS Command Line Interface (CLI). The file contains sensitive information, including AWS access keys and secret access keys, which provide access to your AWS resources. Personally, for me, I have never been the biggest supporter of
~/.aws/credentials because of its vulnerability to potentially malicious actors.
By downloading the latest release
on Windows with Chocolatey:
choco install aws-vault
on macOS with Homebrew Cask:
brew install --cask aws-vault
on Linux with Homebrew on Linux:
brew install aws-vault
The backends in which credentials are stored include:
NB - Gnome Keyring and KWallet can be used on Windows when using WSL.
Add AWS region in
~/.aws/config before adding a profile.
[default] region = us-east-1
Add AWS-Vault profile
# Store AWS credentials for the "jonsmith" profile $ aws-vault add jonsmith Enter Access Key Id: ABDCDEFDASDASF Enter Secret Key: %%% # Execute a command (using temporary credentials) $ aws-vault exec jonsmith -- aws s3 ls bucket_1 bucket_2 # open a browser window and login to the AWS Console $ aws-vault login jonsmith # List credentials $ aws-vault list Profile Credentials Sessions ======= =========== ======== jonsmith jonsmith sts.GetSessionToken:46m29s # Start a subshell with temporary credentials $ aws-vault exec jonsmith Starting subshell /bin/zsh, use `exit` to exit the subshell $ aws s3 ls bucket_1 bucket_2
AWS-Vault with Roles and MFA
Using roles and multi-factor authentication (MFA) are important best practices when working with AWS to enhance security. As such you would need to create an IAM User and Roles in addition to setting up a MFA device whether virtual or physical.
The diagram below depicts a typical setup of AWS Organization.
[default] region = us-east-1 [profile jonsmith] mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith region = us-east-1 [profile Development-Role] source_profile = jonsmith region = us-east-1 role_arn = arn:aws:iam::22222222222:role/Development mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith [profile Staging-Role] source_profile = jonsmith region = us-east-1 role_arn = arn:aws:iam::22222222222:role/Staging mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith [profile DevOps-Role] source_profile = jonsmith region = us-east-1 role_arn = arn:aws:iam::333333333333:role/DevOps mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith [profile Security-Role] source_profile = jonsmith region = us-east-1 role_arn = arn:aws:iam::333333333333:role/Security mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith
Refer to the AWS-Vault official repo for additional info: