Using AWS-Vault to securely manage access to AWS

Reading Time: 2 minutes

AWS-Vault is a great tool for securely controlling your access to AWS and is great when assuming or switching roles. For Example, if you need admin rights in AWS.

AWS-Vault is an awesome Github project. In this example, I will be using macOS, but the same process will work for Unix based systems such as Linux.AWS-Vault Documentation: https://github.com/99designs/aws-vault – Connect to preview

For Alternative Operating Systems check out this:

How do I integrate AWS vault?

You can install AWS Vault:

  • on Windows with Chocolateychoco install aws-vault
  • on Windows with Scoopscoop install aws-vault
  • on Linux with Homebrew on Linuxbrew install aws-vault
  • on Arch Linuxpacman -S aws-vault
  • on FreeBSDpkg install aws-vault
  • with Nixnix-env -i aws-vault

Install AWS-vault with BREW

This example demonstrates how to install AWS-VAULT on Macintosh, this process will be almost identical on Linux based distributions. My personal favorite tool for installing packages on macOS is Brew. Visit Brew.SH to find out more.

Open your terminal session. I will be using iTerm2, you can find a link to it here.

The Installation Command requires brew to install, if you have not already got Brew installed type:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Now Install AWS-Vault and the AWS-CLI

brew cask install aws-vault brew install awscli

Log in to AWS Console https://aws.amazon.com/console/

  • Go to IAM → Users → your user
  • Go to Security Credentials Tab
  • Select Create Access Key

Important: Make a note of your admin role name and your Amazon IAM user Name, you will need this later

Note: You will need admin credentials to create a secret key on your account

What commands would you need to create an AWS secret from Vault?

Return to your MacOS terminal

Enter the following:

aws-vault add *prod/non-prod*

Enter the Access Key ID Secret Key when requested

Edit your AWS Config File (located at ~/.aws/config) and add the below configuration:

sudo nano ~/.aws/config

And enter:

[default] region=my_region output=json
credential_process=aws-vault exec prod -j

[profile myprofile1]
credential_process=aws-vault exec prod -j

[profile myprofile_admin]
source_profile=myprofile1
role_arn=arn:aws:iam::XXXXXXXXXXXXXXXXXXX:role/my-admin-role
mfa_serial=arn:aws:iam::XXXXXXXXXXXXXXXXX:mfa/my_mfa

To access AWS using AWS-VAULT

Open a terminal session and type

aws-vault login prod

You will be prompted for your local keystore password, your MFA code, and then the AWS console will open and you will automatically assume the role configured in myprofile_admin.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *