Luke Howsam
Software Engineer
Why aws-vault?
When we are configuring the AWS CLI on our machines, it will save access key and secrets in plain text format in your home directory ~/.aws/credentials. As you can imagine, this becomes a big security concern as everyone knows where to look for your credentials, they're in plain text and anyone can scan/look for those keys. If you're unlucky, you've just given someone easy access to your account.
In order to prevent situations like this from happening, aws-vault comes to the rescue! aws-vault is an open source tool developed by 99Designs which is widely used to secure our AWS keys in an encrypted format.
Moreover, aws-vault maximizes security through transient credentials obtained from Amazon's STS service. These are procured via GetSessionToken and AssumeRole API calls and have a limited timespan. Since these credentials are temporary, the danger of becoming compromised is significantly reduced.
Getting started
Here's a quick starter on how you can get up and running with aws-vault
Setting up the tool
On mac OS, we can install aws-vault with one command:
brew install --cask aws-vault
Transfer any existing credentials
Move existing credentials to aws-vault:
cat ~/.aws/credentials
aws-vault add profile_1
aws-vault add profile_2
Pick an account to launch
To review all your available accounts run:
aws-vault list
To assume an account role:
aws-vault exec my_profile
Passwordless AWS console access
Another advantage of using aws-vault is that you can perform safe sign-in to the aws console. This saves the hassle of having to use your browser to navigate to aws. This command utilises your MacOS keychain and 2FA to authenticate you with your profile:
aws-vault login my-profile --duration 2h
Ending the session
To Safeguard against your account becoming comprimised you can terminate the vault session by pressing ctrl+d. In addition to this you can set short session durations to avoid being authenticated longer than necessary