This how-to will guide you through the configuration of IAM roles in aws-vault and assuming those roles so that you can execute AWS commands as that role while protecting your credentials.
This article is the second in a series on using aws-vault to manage your AWS credentials safely. Part 1 covered managing credentials for an AWS account and using aws-vault to execute commands.
Update: We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously. Check out how k9 can help you Go Fast, Safely.
Step-by-step guide
- In order to follow this guide, be sure you have set up aws-vault to manage credentials for an AWS account.
- Assuming you’ve added one or more profiles using aws-vault, your ~/.aws/config file should look similar to this:
- One line should be present for each profile you’ve added. If no profiles have been added, the file should be empty.
[profile <profile_1>] [profile <profile_2>]
- One line should be present for each profile you’ve added. If no profiles have been added, the file should be empty.
- Use the IAM web console to find a role arn.
In the case that you do not have access to the console, you may need to request the arn from someone with access.
- As an example, this guide will authenticate via a read-only profile and then assume a higher privilege role called admin.
- You may assume either a higher or a lower privilege role from an account with the same credentials.
- Edit your ~/.aws/config file so that it resembles the following block:
- Add a new profile: [profile admin]
- Link it with existing credentials: source_profile = read-only
- Add a role arn: role_arn = arn:aws:iam::1234567890:role/iam_role
[profile read-only] [profile admin] source_profile = read-only role_arn = arn:aws:iam::1234567890:role/iam_role
- Having added the new role and associated it with existing credentials, execute an aws command using the new role:
$ aws-vault exec admin -- aws s3 ls Enter passphrase to unlock /path/to/.awsvault/keys/: <passphrase> <s3 buckets>
Note: The composition of aws-vault exec commands is the same whether you use an AWS user or assume an AWS role. In both cases, use a profile name saved with aws-vault.
Further Reading
This article is the second in a series of instructional posts regarding the aws-vault tool. The final one is about using the tool to assume a role in one account from a separate trusted account.