Using AWS Vault instead of relying on plaintext AWS Creds

Posted: 31 August, 2021 Category: recipes Tagged: awsaws-vault

(note: be prepared to enter the pgp passphrase for this user's key).

Install aws-vault

  • follow the instructions on aws-vault's github page. If you're on WSL, follow these instructions instead.

    *You'll take a gander at gpg and pass along the way, because:

    • gpg: manages keys
    • pass: manages passwords, encrypted by gpg keys nicer summary
    • aws-vault: leverages both to handle ur aws creds and auth u securely to aws

Add a user to aws-vault

  • probably best to delete your previous access keys and create new keys in AWS::IAM. Instead of downloading the plaintext csv with the new creds, just:

    • do aws-vault add <user> locally on a terminal
    • Copy + paste your creds from the AWS dialog directly into aws-vault when prompted, THEN close the dialog in aws.
  • Need to support MFA (multi-factor auth) for the user?

    • grab the user's arn (aws::IAM > users > (user) > security credentials > assigned mfa device). Should exist if user has set up MFA.
    • Add the corresponding arn to ~/.aws/config under their profile entry: mfa_serial=arn:blahblah

Login to AWS / grab a session for N hours

  • do aws-vault exec <user> [--duration Nh] with an optional duration of N hours or grab an hour by default i.e.: aws-vault exec <user>
  • If user has MFA, there will be a prompt for the MFA token at this point. Provide it.
  • You will then be prompted to enter the passphrase for this user's key. Enter it.
  • Try a simple aws command: aws ec2 describe-instances

whooo! a list of instances!