JAG's Blog

How to secure your credentials on AWS CLI using AWS Vault

An 3rd party tool to secure your AWS Programmatic access keys

Jagan Sekaran's photo
Jagan Sekaran
ยท

3 min read

There is an open issue while using AWS CLI, your credentials are stored on a plain text file and anyone who have access to your machine can access these credentials and ruin your bank balance! ๐Ÿคฏ

Let me show you, check the .aws folder at you home directory

โžœ  ~ ls -l ~/.aws                                
total 16
-rw-------  1 jag  staff   25 Aug 12 22:19 config
-rw-------  1 jag  staff  229 Aug 12 22:19 credentials
โžœ  ~ 
โžœ  ~ cat ~/.aws/credentials 
[default]
aws_access_key_id = AXXD12345DJXXXXXXX  
aws_secret_access_key = vjXXXX++TOP+SECRET***&%SH@!XXX
โžœ  ~

This is same for Windows/Mac/Linux

There is a solution ๐Ÿ˜Ž
AWS Vault is a third party tool (by 99designs) to securely store and access AWS credentials

AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools

Let see how

1) First lets remove the existing credentials (if exist)

rm -f ~/.aws/credentials

lets check if we are able to access AWS resources

# AWS CLI
โžœ  ~ aws s3 ls                               

Unable to locate credentials. You can configure credentials by running "aws configure".

# Terraform
โžœ  ec2-eip git:(master) โœ— terraform plan
โ•ท
โ”‚ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
โ”‚ 
โ”‚ Please see https://registry.terraform.io/providers/hashicorp/aws
โ”‚ for more information about providing credentials.
โ”‚ 
โ”‚ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
โ”‚       For verbose messaging see aws.Config.CredentialsChainVerboseErrors
โ”‚ 
โ”‚ 
โ”‚   with provider["registry.terraform.io/hashicorp/aws"],
โ”‚   on ec2-eip.tf line 1, in provider "aws":
โ”‚    1: provider "aws" {

above example shows both aws cli and terraform doesn't work.

2) Install aws-vault using your favorite package manager. I use Homebrew on Mac

brew install --cask aws-vault

Make sure its installed

โžœ  ~ aws-vault --version
v6.3.1

3) Add AWS credentials to Vault 

โžœ  ~ aws-vault add personal
Enter Access Key ID: AXXD12345DJXXXXXXX  
Enter Secret Access Key: 
Added credentials to profile "personal" in vault
โžœ  ~ 
โžœ  ~ 
โžœ  ~ aws-vault add work    
Enter Access Key ID: AXXQ9876DJXXXXXXX  
Enter Secret Access Key: 
Added credentials to profile "work" in vault

I added my personal and work accounts

Note: you might be asked to create a keystore password

4) Now lets use aws-vault to access credentials

# Execute a command (using temporary credentials)
aws-vault exec personal -- aws s3 ls

โžœ  ec2-eip git:(master) โœ— aws-vault exec personal -- aws s3 ls
2020-02-21 09:49:42 bucket1
2019-10-09 22:44:59 bucket2
2021-08-13 10:53:38 terraform-statefile

โžœ  ec2-eip git:(master) โœ— aws-vault exec personal -- terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_eip.tf-eip will be created
  + resource "aws_eip" "tf-eip" {
      + allocation_id        = (known after apply)
      + association_id       = (known after apply)
      ...
      ...

It works ๐Ÿ’ช๐Ÿผ

# List credentials
โžœ  ec2-eip git:(master) โœ— aws-vault list
Profile                  Credentials              Sessions                    
=======                  ===========              ========                           
personal                 personal                 sts.GetSessionToken:52m26s  
work                     work                     -

for more details please refer to 99designs Github page

AWScliSecurity