Using AWS Vault instead of relying on plaintext AWS Creds
(note: be prepared to enter the pgp passphrase for this user's key).
follow the instructions on aws-vault's github page. If you're on WSL, follow these instructions instead.
*You'll take a gander at gpg and pass along the way, because:
- gpg: manages keys
- pass: manages passwords, encrypted by gpg keys nicer summary
- aws-vault: leverages both to handle ur aws creds and auth u securely to aws
Add a user to aws-vault
probably best to delete your previous access keys and create new keys in AWS::IAM. Instead of downloading the plaintext csv with the new creds, just:
aws-vault add <user> locally on a terminal
- Copy + paste your creds from the AWS dialog directly into aws-vault when prompted, THEN close the dialog in aws.
Need to support MFA (multi-factor auth) for the user?
- grab the user's arn (aws::IAM > users > (user) > security credentials > assigned mfa device). Should exist if user has set up MFA.
- Add the corresponding arn to
~/.aws/config under their profile entry:
Login to AWS / grab a session for N hours
aws-vault exec <user> [--duration Nh] with an optional duration of N hours or grab an hour by default i.e.:
aws-vault exec <user>
- If user has MFA, there will be a prompt for the MFA token at this point. Provide it.
- You will then be prompted to enter the passphrase for this user's key. Enter it.
- Try a simple aws command:
aws ec2 describe-instances
whooo! a list of instances!