Use AWS-Vault to manage access to AWS
AWS-Vault is a great tool for securely controlling your access to AWS and is great when assuming or switching roles. For Example, if you need admin rights in AWS.
AWS-Vault is an awesome Github project. In this example, I will be using macOS, but the same process will work for Unix-based systems such as Linux.AWS-Vault Documentation: https://github.com/99designs/aws-vault – Connect to preview
For Alternative Operating Systems check out this:
Step 1 – Install AWS-Vault
There are several ways to install AWS-Vault
How do I integrate AWS Vault?
You can install AWS Vault:
- on Windows with Chocolatey:
choco install aws-vault
- on Windows with Scoop:
scoop install aws-vault
- on Linux with Homebrew on Linux:
brew install aws-vault
- on Arch Linux:
pacman -S aws-vault
- on FreeBSD:
pkg install aws-vault
- with Nix:
nix-env -i aws-vault
An example Install of AWS-vault with BREW on macOS
This example demonstrates how to install AWS-VAULT on Macintosh, this process will be almost identical on Linux-based distributions. My personal favorite tool for installing packages on macOS is Brew.
Visit Brew.SH to find out more.
Open your terminal session. I will be using iTerm2, you can find a link to it here.
The Installation Command requires brew to install if you have not already got Brew installed type:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Now Install AWS-Vault and the AWS-CLI
brew cask install aws-vault brew install awscli
Step 2 – Create an Access Key in the AWS Console
AWS-Vault requires a programmatic access key to your AWS credentials.
Log in to AWS Console https://aws.amazon.com/console/
- Go to IAM → Users → your user
- Go to Security Credentials Tab
- Select Create Access Key
What commands would you need to create an AWS secret from Vault?
Step 3 – Create an AWS-Vault KeyChain
Return to your macOS terminal and enter the following:
aws-vault add *prod/non-prod*
Note - substitute *prod/non-prod* with whatever you want to call your AWS-Vault KeyChain
Enter the Access Key ID & Secret Key when requested
This information is available in the AWS console > IAM > Users > <Your User ID>
Step 4 – Create / Update your local AWS config
Edit your AWS Config File (typically located at ~/.aws/config)
sudo nano ~/.aws/config
and add the below configuration:
[default] region=my_region output=json credential_process=aws-vault exec prod -j [profile myprofile1] credential_process=aws-vault exec prod -j [profile myprofile_admin] source_profile=myprofile1 role_arn=arn:aws:iam::XXXXXXXXXXXXXXXXXXX:role/my-admin-role mfa_serial=arn:aws:iam::XXXXXXXXXXXXXXXXX:mfa/my_mfa
Note - Substitute role_arn and mfa_serial with you details from the AWS Console
Step 5 – Log into AWS using AWS-Vault
To access AWS using AWS-VAULT
Open a terminal session and type
aws-vault login prod
You will be prompted for your local Keystore password, your MFA code, and then the AWS console will open and you will automatically assume the role configured in myprofile_admin.
Top Q&A for AWS-Vault
What is AWS Vault?
AWS-Vault is a Keystore that securely controls access to AWS using existing user roles and multi-factor authentication.
How do I use AWS vault?
This procedure will give you a very good start on AWS-Vault. If you want to dig deeper, there is a detailed readme from the creators of AWS-Vault
How do I install AWS-Vault?
See Step 1 of this procedure
How do I use AWS-Vault with MFA?
See Step 4 of this procedure.
Thankyou for taking time to read this procedure, if you have any comments or recommendations, please feel free to submit a comment on this article and I will respond ASAP.