This article kicks off a series of posts describing how to use aws-vault, a third party tool that helps engineers store and use AWS credentials securely in their local development and operational environments. The series will cover:

  1. installing aws-vault and using it to manage credentials for an AWS account and using aws-vault to execute commands with those credentials safely
  2. assuming a role in an AWS account using short-term credentials
  3. assuming a role across AWS accounts by authenticating to one account and using those credentials to assume a role in another

Ok, let’s go!

This how-to describes the installation and usage of aws-vault, a third party tool that manages credentials for an AWS account.

Step-by-step guide

  1. Download the latest release.
  2. You may need to change the file’s permissions so that it is executable.
  3. Rename the executable file to “aws-vault” and ensure that it is in your path.
  4. To display the usage format, list of flags, and list of commands, enter either of the following commands:
    $ aws-vault
    $ aws-vault --help
  5. To store AWS credentials for use, enter:
    $ aws-vault add <profile>
    • Multiple profiles can be created by using this command repeatedly.
  6. Three prompts will appear:
    • The Access Key ID and Secret Key are those associated with your AWS account.
    • The passphrase is one that you create. You will need to enter this passphrase each time you execute a command using temporary credentials. This example shows a Linux variation of the workflow (OS X will use the macOS Keychain).
      Enter Access Key ID: <AWS_Access_Key>
      Enter Secret Access Key: <AWS_Secret_Key>
      Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
      Added credentials to profile "<profile>" in vault
  7. To execute an aws command using temporary credentials, enter a command like this one:
    $ aws-vault exec <profile> -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <s3 buckets>
  8. To list all profiles and credentials added to your vault, enter:
    $ aws-vault list
    Profile              Credentials             Sessions
    =======              ===========             ========
    <profile_1>          <profile_1>             1234567890
    <profile_2>          <profile_2>
  9. To remove the credentials associated with a profile, enter:
    $ aws-vault remove <profile>
    • To remove sessions managed by aws-vault, use the –session-only flag.
      $ aws-vault remove <profile> --sessions-only
    • (warning) Note: Removing a profile only removes the credentials associated with a profile, you will still see the profile name listed after removing the credentials.

Further Reading

This article is the first in a series of instructional posts for using the aws-vault tool. In Part 2, you will learn how to use aws-vault to assume a role in an AWS account safely.