This how-to will guide you through the configuration of IAM roles in aws-vault and assuming those roles so that you can execute AWS commands as that role while protecting your credentials.

This article is the second in a series on using aws-vault to manage your AWS credentials safely.  Part 1 covered managing credentials for an AWS account and using aws-vault to execute commands.

Update: We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously.  Check out how k9 can help you Go Fast, Safely.

Step-by-step guide

  1. In order to follow this guide, be sure you have set up aws-vault to manage credentials for an AWS account.
  2. Assuming you’ve added one or more profiles using aws-vault, your ~/.aws/config file should look similar to this:
    • One line should be present for each profile you’ve added. If no profiles have been added, the file should be empty.
      [profile <profile_1>]
      
      [profile <profile_2>]
  3. Use the IAM web console to find a role arn.  (warning) In the case that you do not have access to the console, you may need to request the arn from someone with access.
  4. As an example, this guide will authenticate via a read-only profile and then assume a higher privilege role called admin.
    • You may assume either a higher or a lower privilege role from an account with the same credentials.
  5. Edit your ~/.aws/config file so that it resembles the following block:
    • Add a new profile: [profile admin]
    • Link it with existing credentials: source_profile = read-only
    • Add a role arn: role_arn = arn:aws:iam::1234567890:role/iam_role
      [profile read-only]
      
      [profile admin]
      source_profile = read-only
      role_arn = arn:aws:iam::1234567890:role/iam_role
  6. Having added the new role and associated it with existing credentials, execute an aws command using the new role:
    $ aws-vault exec admin -- aws s3 ls
    Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase>
    <s3 buckets>
  7. (warning) Note: The composition of aws-vault exec commands is the same whether you use an AWS user or assume an AWS role. In both cases, use a profile name saved with aws-vault.

Further Reading

This article is the second in a series of instructional posts regarding the aws-vault tool. The final one is about using the tool to assume a role in one account from a separate trusted account.