How to secure your credentials on AWS CLI using AWS Vault
An 3rd party tool to secure your AWS Programmatic access keys
There is an open issue while using AWS CLI, your credentials are stored on a plain text file and anyone who have access to your machine can access these credentials and ruin your bank balance! ๐คฏ
Let me show you, check the .aws folder at you home directory
โ ~ ls -l ~/.aws
total 16
-rw------- 1 jag staff 25 Aug 12 22:19 config
-rw------- 1 jag staff 229 Aug 12 22:19 credentials
โ ~
โ ~ cat ~/.aws/credentials
[default]
aws_access_key_id = AXXD12345DJXXXXXXX
aws_secret_access_key = vjXXXX++TOP+SECRET***&%SH@!XXX
โ ~
This is same for Windows/Mac/Linux
There is a solution ๐
AWS Vault is a third party tool (by 99designs) to securely store and access AWS credentials
AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools
Let see how
1) First lets remove the existing credentials (if exist)
rm -f ~/.aws/credentials
lets check if we are able to access AWS resources
# AWS CLI
โ ~ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
# Terraform
โ ec2-eip git:(master) โ terraform plan
โท
โ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
โ
โ Please see https://registry.terraform.io/providers/hashicorp/aws
โ for more information about providing credentials.
โ
โ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
โ For verbose messaging see aws.Config.CredentialsChainVerboseErrors
โ
โ
โ with provider["registry.terraform.io/hashicorp/aws"],
โ on ec2-eip.tf line 1, in provider "aws":
โ 1: provider "aws" {
above example shows both aws cli and terraform doesn't work.
2) Install aws-vault using your favorite package manager. I use Homebrew on Mac
brew install --cask aws-vault
Make sure its installed
โ ~ aws-vault --version
v6.3.1
3) Add AWS credentials to Vault
โ ~ aws-vault add personal
Enter Access Key ID: AXXD12345DJXXXXXXX
Enter Secret Access Key:
Added credentials to profile "personal" in vault
โ ~
โ ~
โ ~ aws-vault add work
Enter Access Key ID: AXXQ9876DJXXXXXXX
Enter Secret Access Key:
Added credentials to profile "work" in vault
I added my personal and work accounts
Note: you might be asked to create a keystore password
4) Now lets use aws-vault to access credentials
# Execute a command (using temporary credentials)
aws-vault exec personal -- aws s3 ls
โ ec2-eip git:(master) โ aws-vault exec personal -- aws s3 ls
2020-02-21 09:49:42 bucket1
2019-10-09 22:44:59 bucket2
2021-08-13 10:53:38 terraform-statefile
โ ec2-eip git:(master) โ aws-vault exec personal -- terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_eip.tf-eip will be created
+ resource "aws_eip" "tf-eip" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
...
...
It works ๐ช๐ผ
# List credentials
โ ec2-eip git:(master) โ aws-vault list
Profile Credentials Sessions
======= =========== ========
personal personal sts.GetSessionToken:52m26s
work work -
for more details please refer to 99designs Github page