github.com-99designs-aws-vault_-_2019-12-24_03-04-27
Item Preview
A vault for securely storing and accessing AWS credentials in development environments
AWS Vault
AWS Vault is a tool to securely store and access AWS credentials in a development environment.
AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.
The supported backends are:
- macOS Keychain
- Windows Credential Manager
- Secret Service (Gnome Keyring, KWallet)
- KWallet
- Pass
- Encrypted file
Check out the announcement blog post for more details.
Installing
You can install aws-vault:- by downloading the latest release- on macOS via Homebrew Cask with brew cask install aws-vault- on Linux via Homebrew on Linux with brew install aws-vault- on Windows via choco with choco install aws-vault- on Archlinux via the AUR- by compiling with go get github.com/99designs/aws-vault
Basic Usage
```bash
Store AWS credentials for the "home" profile
$ aws-vault add homeEnter Access Key Id: ABDCDEFDASDASFEnter Secret Key: %%%
Execute a command (using temporary credentials)
$ aws-vault exec home -- aws s3 lsbucket1bucket2
open a browser window and login to the AWS Console
$ aws-vault login home
List credentials
$ aws-vault listProfile Credentials Sessions======= =========== ========home home -```See the USAGE document for more help and tips.
Security
bash$ aws-vault exec home -- env | grep AWSAWS_VAULT=homeAWS_REGION=us-east-1AWS_ACCESS_KEY_ID=%%%AWS_SECRET_ACCESS_KEY=%%%AWS_SESSION_TOKEN=%%%AWS_SECURITY_TOKEN=%%%
Notice in the above environment how a session token gets written out. This is because aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.
The credentials are exposed to the subprocess in one of two ways:
Environment variables are written to the sub-process.
Local EC2 Instance Metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible. The downside is that only one can run per host and because it binds to
169.254.169.254:80, your sudo password is required.
The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.
Assuming Roles
Best-practice is to create Roles to delegate permissions.
First you'll need to create the users and roles in IAM. Next, edit your ~/.aws/config to add profiles with a role_arn. For example:
```ini[profile jonsmith]region = us-east-1
[profile prod-readonly]region=us-east-1rolearn = arn:aws:iam::111111111111:role/ReadOnlysourceprofile = jonsmith
[profile prod-admin]region=us-east-1rolearn = arn:aws:iam::111111111111:role/Administratorsourceprofile = jonsmith```
Now when you use the prod-admin profile, aws-vault will look in the jonsmith profile's keychain for credentials and then use those credentials to assume the Administrator role.
Using MFA
For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.
First you'll need to setup an MFA device. You can then set up IAM roles to enforce MFA. Next, add a line to the role profile that specifies the ARN of the user's MFA device. For example:
```ini[profile jonsmith]region = us-east-1
[profile prod-readonly]region=us-east-1rolearn = arn:aws:iam::111111111111:role/ReadOnlysourceprofile = jonsmith
[profile prod-admin]region=us-east-1rolearn = arn:aws:iam::111111111111:role/Administratormfaserial = arn:aws:iam::111111111111:mfa/jonsmithsource_profile = jonsmith```
Now when you use the prod-admin profile aws-vault will prompt you for an MFA token. This assumed role's session is stored in your keychain so you will only have to enter your MFA once.
macOS Code Signing
The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:
$ codesign --verify --verbose $(which aws-vault)If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate > Code Signing Certificate. You can then sign your binary with:
$ go build .$ codesign --sign "Name of my certificate" ./aws-vaultReferences and Inspiration
- https://github.com/pda/aws-keychain
- https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users
- https://github.com/makethunder/awsudo
- https://github.com/AdRoll/hologram
- https://github.com/realestate-com-au/credulous
- https://github.com/dump247/aws-mock-metadata
- https://boto.readthedocs.org/en/latest/botoconfigtut.html
To restore the repository download the bundle
wget https://archive.org/download/github.com-99designs-aws-vault_-_2019-12-24_03-04-27/99designs-aws-vault_-_2019-12-24_03-04-27.bundle git clone 99designs-aws-vault_-_2019-12-24_03-04-27.bundle Source: https://github.com/99designs/aws-vault
Uploader: 99designs
Upload date: 2019-12-24
- Originalurl
-
https://github.com/99designs/aws-vault
