aws-vault - the best way to manage AWS credentials for multiple accounts


One of the best open-source tools for working with AWS that you haven't heard about is aws-vault.

Back at Gruntwork, where we did complex multi-account deployments into AWS for customers everyday, aws-vault was a standard issue tool.

Table of contents

aws-vault makes you more secure

Using aws-vault is the antidote to hard-coding or exposing your permanent AWS credentials like your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

When you run a command such as the following to list all your S3 buckets:

aws-vault exec staging -- aws s3 ls,

aws-vault contacts AWS's Secure Token Service (STS) in order to obtain and use temporary credentials that you can use to allow your scripts or command to interact with AWS resources securely.

That means the command after the double dash (--) is not actually receiving your permanent AWS credentials, but temporary ones generated by the STS endpoint.

This is a major boon to your overall security posture. aws-vault uses your operating systems secure keychain or equivalent secret store to keep your actual secrets safe.

If these temporary credentials get popped somehow, they expire shortly. If you hard code your keys or write them into your shell environment, you're always at risk of accidentally exposing them, which is triply bad if these are credentials to your customer's accounts.

aws-vault makes it easier to manage multiple accounts

aws-vault helps you sanely manage multiple AWS accounts, each with its own custom alias.

This allows you to

aws-vault exec staging -- aws s3 ls

in order to list all your S3 buckets in your staging account. Switching to prod is then as easy as

aws-vault exec prod -- aws s3 ls

Interoperate with AWS IAM credentials and IAM roles

aws-vault supports both IAM credentials (for individual IAM users) as well as IAM roles, which are preferred from a security and auditability perspective.

For example, here's an aws-vault config file that creates three profiles with a default AWS region of us-east-1:

region = us-east-1

[profile jonsmith]  
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin]
source_profile = jonsmith 
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

This configuration allows you to easily assume different IAM roles in different AWS accounts, while still requiring multi-factor authentication for added security.

aws-vault makes you faster

In addition to the security benefits, aws-vault makes you faster:

Logging in to the console via aws-vault

aws-vault exec login your-profile

This command will open a browser window and automatically log you into the AWS Management Console for the specified profile.

Logging into the console via aws-vault when using container tabs

Need to paste the login string into a browser tab? Perhaps because you're using separate browser tabs for each account?

Pass the -s flag to get the full string back, which you can then pipe to a copy utility (which will change depending on your platform) pbcopy (on Osx) or xsel (on Linux).

aws-vault login -s your-profile | pbcopy

Quickly executing arbitrary commands via the AWS command line tool

aws-vault exec your-profile -- aws s3 ls

This will execute the aws s3 ls command using the temporary credentials for the specified profile. You can substitute any AWS CLI command here.

aws-vault makes it easier to manage AWS accounts across a team

By using aws-vault, your team can securely share access to multiple AWS accounts without the risk of accidentally exposing long-lived credentials.

Each team member can have their own IAM user with appropriate permissions, and assume roles in other accounts as needed.

aws-vault's configuration files are just text, so you can share them across your team members. They are half of the equation (you still need credentials stored locally in your keychain).

That said, you can go pretty crazy with this piece if you wish. At Gruntwork, we had utilities built into our CLI tools that would auto-generate aws-vault configuration files to target AWS accounts, allowing team members to access them quickly.