Installing and using aws-vault

Command Summary#

Introduction#

This guide will walk you through installing aws-vault, a tool that securely stores and manages your AWS credentials. aws-vault uses your operating system’s secure storage to store credentials, making accessing multiple AWS accounts safer and more convenient without exposing sensitive information.

If you regularly work with AWS, especially across different environments, aws-vault can streamline the authentication process while improving security.

By the end of this guide, you’ll have aws-vault installed and ready to use, setting you up to securely manage AWS credentials in your daily workflow.

Note: This article assumes you are using Homebrew for macOS installation.

What is aws-vault?#

aws-vault is a tool designed to store and access AWS credentials on your local machine securely. It helps manage AWS access keys and session tokens by encrypting them and allowing you to switch between different profiles or roles easily.

Here’s a brief overview of how it works:

• Storage: aws-vault stores your AWS credentials in a secure, encrypted format using your system’s keychain. These credentials can be long-lived (not a recommended practice) or short-lived credentials from the AWS Identity Center product.

• Session Management: It manages AWS sessions, allowing you to assume roles and generate temporary credentials with specific permissions.

• Profile Management: You can create and manage multiple profiles, which is helpful if you work with different AWS accounts or roles.

• Command Execution: You can use aws-vault to execute AWS CLI commands or other applications that need AWS credentials without directly exposing them.

Overall, it’s a valuable tool for maintaining security and convenience when working with AWS credentials.

Installing aws-vault#

Prerequisites#

Prior to installing vault you’ll need the following:

• macOS or Linux (I believe there is a Windows Version by milleage may differ significantly)
• A package managers - in my case I’m using Home Brew
• awscli
• AWS Credentials (Short Term or Long-lived)

Note: The aws-vault project can be found at aws-vault

Installation#

To install aws-vault, we will leverage Homebrew to install aws-vault. If you don’t have Homebrew installed you can install this from the following link: Home Brew. Open up your terminal and enter the command

brew install aws-vault

If all was successful you should the following output

brew install aws-vault
==> Auto-updating Homebrew...
Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with
HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> Auto-updated Homebrew!
Updated 3 taps (hashicorp/tap, homebrew/core and homebrew/cask).
==> New Formulae
bed                                    hashicorp/tap/tf-migrate               oasdiff
bump-my-version                        immich-cli                             rpcsvc-proto
==> New Casks
font-departure-mono                    gitlight                               wealthfolio

You have 13 outdated formulae installed.

Warning: Treating aws-vault as a formula. For the cask, use homebrew/cask/aws-vault or specify the `--cask` flag.
==> Downloading https://ghcr.io/v2/homebrew/core/aws-vault/manifests/7.2.0-1
Already downloaded: /Users/moleary/Library/Caches/Homebrew/downloads/e80098cc4e2eada3af6993e0b5730575af83d2e0f693e332a232781cdee89203--aws-vault-7.2.0-1.bottle_manifest.json
==> Fetching aws-vault
==> Downloading https://ghcr.io/v2/homebrew/core/aws-vault/blobs/sha256:5cbd3ba6f0c5821efcf11d31b68894b3e662ac2459c
Already downloaded: /Users/moleary/Library/Caches/Homebrew/downloads/48869f0897bc4f9988a53c5a62dbd8d29e01c1abe45fc492d0e9a3607d9436f6--aws-vault--7.2.0.sonoma.bottle.1.tar.gz
==> Pouring aws-vault--7.2.0.sonoma.bottle.1.tar.gz
==> Caveats
zsh completions have been installed to:
  /usr/local/share/zsh/site-functions
==> Summary
🍺  /usr/local/Cellar/aws-vault/7.2.0: 9 files, 14.2MB
==> Running `brew cleanup aws-vault`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).

Checking the version#

Once successfully installed we can test binary execution using the following command

❯ aws-vault --version
7.2.0-Homebrew

Using AWS Identity Center with aws-vault#

In my day to day work with multiple clients I tend to leverage AWS Identity Center as this is a common patterns for AWS Landing Zone deployment. This article assumes that you have predefine aws configuration pattern at ~/.aws/config. If not you can used the following templates to create an SSO configuration

Note: You can leverage long-lived keys with aws-vault however long-lived and overly permissive keys provider a significant security risk and should be avoided.

❯ cat ~/.aws/config
[profile default]
region = {{default_region}}
output = json

# Account 1
[profile {{profile}}]
sso_start_url=https://{directory_id}.awsapps.com/start
sso_region={{aws_sso_region}}
sso_account_id={{account_id}}
sso_role_name={{aws_role_name}}
region={{aws_region}}
output=json

# Account 2
[profile {{profile}}]
sso_start_url=https://{directory_id}.awsapps.com/start
sso_region={{aws_sso_region}}
sso_account_id={{account_id}}
sso_role_name={{aws_role_name}}
region={{aws_region}}
output=json

# Account 3
[profile {{profile}}]
sso_start_url=https://{directory_id}.awsapps.com/start
sso_region={{aws_sso_region}}
sso_account_id={{account_id}}
sso_role_name={{aws_role_name}}
region={{aws_region}}
output=json

Now that we have our aws-vault install and aws cli configured, we can run the following command. It should generate a link and automatically from the cli and redirect you to your browser.

aws-vault exec {{profile}}  -- aws s3 ls
https://device.sso.ap-southeast-2.amazonaws.com/?user_code=XXXX-XXXX

However if you have multiple browsers or profiles you can add the --stdout option so that automatic browser redirection doesn’t occur. This way you can copy the output link to the correct browser and authentication there.

aws-vault exec {{profile}} --stdout -- aws s3 ls
https://device.sso.ap-southeast-2.amazonaws.com/?user_code=XXXX-XXXX

Once you follow the link in your choosen browser you will be able to click approve request.

---

---

Your output should looks something like the following:

Note: The bucket names have be obsfucated for security

aws-vault exec {{profile}} --stdout -- aws s3 ls
https://device.sso.ap-southeast-2.amazonaws.com/?user_code=XXXX-XXXX
2024-02-13 16:31:12 bucket-name-2-XXXXXXXXXX
2024-08-18 10:14:13 bucket-name-1-XXXXXXXXXX

From now on you can leverage aws-vault to pass authenticated credentials to scripts or tools like Terragrunt or Terraform.