This article kicks off a series of posts describing how to use aws-vault, a third party tool that helps engineers store and use AWS credentials securely in their local development and operational environments. The series will cover:

  1. installing aws-vault and using it to manage credentials for an AWS account and using aws-vault to execute commands with those credentials safely
  2. assuming a role in an AWS account using short-term credentials
  3. assuming a role across AWS accounts by authenticating to one account and using those credentials to assume a role in another

Update: We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously.  Check out how k9 can help you Go Fast, Safely.

Ok, let’s go!

This how-to describes installation and use of aws-vault, a third party tool that manages credentials for an AWS account.

Step-by-step guide

  1. Download the latest release.
  2. You may need to change the file’s permissions so that it is executable.
  3. Rename the executable file to “aws-vault” and ensure that it is in your path.
  4. To display the usage format, list of flags, and list of commands, enter either of the following commands:
    $ aws-vault
    $ aws-vault --help
  5. To store AWS credentials for use, enter:
    $ aws-vault add <profile>
    • Multiple profiles can be created by using this command repeatedly.
  6. Three prompts will appear:
    • The Access Key ID and Secret Key are those associated with your AWS account.
    • The passphrase is one that you create. You will need to enter this passphrase each time you execute a command using temporary credentials. This example shows a Linux variation of the workflow (OS X will use the macOS Keychain).
      Enter Access Key ID: <AWS_Access_Key>
      Enter Secret Access Key: <AWS_Secret_Key>
      Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
      Added credentials to profile "<profile>" in vault
  7. To execute an aws command using temporary credentials, enter a command like this one:
    $ aws-vault exec <profile> -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <s3 buckets>
  8. To list all profiles and credentials added to your vault, enter:
    $ aws-vault list
    Profile              Credentials             Sessions
    =======              ===========             ========
    <profile_1>          <profile_1>             1234567890
    <profile_2>          <profile_2>
  9. To remove the credentials associated with a profile, enter:
    $ aws-vault remove <profile>
    • To remove sessions managed by aws-vault, use the –session-only flag.
      $ aws-vault remove <profile> --sessions-only
    • (warning) Note: Removing a profile only removes the credentials associated with a profile, you will still see the profile name listed after removing the credentials.

Further Reading

This article is the first in a series of instructional posts for using the aws-vault tool. In Part 2, you will learn how to use aws-vault to assume a role in an AWS account safely.