Using AWS Vault instead of relying on plaintext AWS Creds

Posted: August 31, 2021 Category: backendTagged: awsaws-vault

Install aws-vault

  • follow the instructions on aws-vault’s github page. If you’re on WSL, follow these instructions instead.

    *You’ll take a gander at gpg and pass along the way, because:

    • gpg: manages keys
    • pass: manages passwords, encrypted by gpg keys nicer summary
    • aws-vault: leverages both to handle ur aws creds and auth u securely to aws

Add a user to aws-vault

  • probably best to delete your previous access keys and create new keys in AWS::IAM. Instead of downloading the plaintext csv with the new creds, just:
    • do aws-vault add <user> locally on a terminal (where is the aws account’s username)
    • Copy + paste your creds from the AWS dialog directly into aws-vault when prompted, THEN close the dialog in aws.
  • Need to support MFA (multi-factor auth) for the user?
    • grab the user’s arn for multifactor auth (at aws::IAM > users > (user) > security credentials > assigned mfa device. Should exist if user has set up MFA).
    • Add the corresponding arn to ~/.aws/config under their profile entry: mfa_serial=arn:blahblah

Login to AWS / grab a session for N hours

  • do aws-vault exec <user> [--duration Nh] with an optional duration of N hours or grab an hour by default i.e.: aws-vault exec <user>
  • If user has MFA, there will be a prompt for the MFA token at this point. Provide it.
  • You will then be prompted to enter the passphrase for this user’s key. Enter it.
  • Try a simple aws command: aws ec2 describe-instances

whooo! a list of instances!

Handle login expiry

If you get this cryptic error while using aws-vault (esp when trying to login with a new session):

aws-vault: error: aws-vault sessions should be nested with care, unset $AWS_VAULT to force

then do what it says: type unset AWS_VAULT at a prompt and unshackle yourself from sessions of yore.