Using AWS Vault instead of relying on plaintext AWS Creds
follow the instructions on aws-vault’s github page. If you’re on WSL, follow these instructions instead.
*You’ll take a gander at gpg and pass along the way, because:
- gpg: manages keys
- pass: manages passwords, encrypted by gpg keys nicer summary
- aws-vault: leverages both to handle ur aws creds and auth u securely to aws
Add a user to aws-vault
- probably best to delete your previous access keys and create new keys in AWS::IAM. Instead of downloading the plaintext csv with the new creds, just:
aws-vault add <user> locally on a terminal (where is the aws account’s username)
- Copy + paste your creds from the AWS dialog directly into aws-vault when prompted, THEN close the dialog in aws.
- Need to support MFA (multi-factor auth) for the user?
- grab the user’s arn for multifactor auth (at aws::IAM > users > (user) > security credentials > assigned mfa device. Should exist if user has set up MFA).
- Add the corresponding arn to
~/.aws/config under their profile entry:
Login to AWS / grab a session for N hours
aws-vault exec <user> [--duration Nh] with an optional duration of N hours or grab an hour by default i.e.:
aws-vault exec <user>
- If user has MFA, there will be a prompt for the MFA token at this point. Provide it.
- You will then be prompted to enter the passphrase for this user’s key. Enter it.
- Try a simple aws command:
aws ec2 describe-instances
whooo! a list of instances!
Handle login expiry
If you get this cryptic error while using aws-vault (esp when trying to login with a new session):
aws-vault: error: aws-vault sessions should be nested with care, unset $AWS_VAULT to force
then do what it says: type
unset AWS_VAULT at a prompt and unshackle yourself from sessions of yore.