Install aws-vault

• follow the instructions on aws-vault’s github page. If you’re on WSL, follow these instructions instead.

  *You’ll take a gander at gpg and pass along the way, because:

  • gpg: manages keys
  • pass: manages passwords, encrypted by gpg keys nicer summary
  • aws-vault: leverages both to handle ur aws creds and auth u securely to aws

Add a user to aws-vault

• probably best to delete your previous access keys and create new keys in AWS::IAM. Instead of downloading the plaintext csv with the new creds, just:
  • do aws-vault add <user> locally on a terminal (where is the aws account’s username)
  • Copy + paste your creds from the AWS dialog directly into aws-vault when prompted, THEN close the dialog in aws.
• Need to support MFA (multi-factor auth) for the user?
  • grab the user’s arn for multifactor auth (at aws::IAM > users > (user) > security credentials > assigned mfa device. Should exist if user has set up MFA).
  • Add the corresponding arn to ~/.aws/config under their profile entry: mfa_serial=arn:blahblah

Login to AWS / grab a session for N hours

• do aws-vault exec <user> [--duration Nh] with an optional duration of N hours or grab an hour by default i.e.: aws-vault exec <user>
• If user has MFA, there will be a prompt for the MFA token at this point. Provide it.
• You will then be prompted to enter the passphrase for this user’s key. Enter it.
• Try a simple aws command: aws ec2 describe-instances

whooo! a list of instances!

Handle login expiry

If you get this cryptic error while using aws-vault (esp when trying to login with a new session):

aws-vault: error: aws-vault sessions should be nested with care, unset $AWS_VAULT to force

then do what it says: type unset AWS_VAULT at a prompt and unshackle yourself from sessions of yore.