aws-vault
A vault for securely storing and accessing AWS credentials in development environments
Top Related Projects
Simple and flexible tool for managing secrets
A tool for secrets management, encryption as a service, and privileged access management
A Kubernetes controller and tool for one-way encrypted Secrets
Safely store secrets in Git/Mercurial/Subversion
Quick Overview
aws-vault is a tool for securely storing and accessing AWS credentials in a development environment. It allows users to easily manage multiple AWS accounts and roles, providing a secure way to store credentials and generate temporary credentials for AWS CLI and SDK usage.
Pros
- Enhances security by storing AWS credentials encrypted on the local file system
- Supports multiple AWS accounts and roles, making it easy to switch between different environments
- Generates temporary credentials, reducing the risk of long-lived access keys being compromised
- Integrates well with various operating systems and credential storage mechanisms
Cons
- Requires initial setup and configuration, which may be complex for new users
- Can add an extra step to AWS CLI and SDK operations, potentially slowing down workflows
- May conflict with other AWS credential management tools or scripts
- Limited support for some advanced AWS authentication scenarios
Code Examples
- Adding a new AWS profile:
aws-vault add myprofile
- Running an AWS CLI command using temporary credentials:
aws-vault exec myprofile -- aws s3 ls
- Starting a new shell session with AWS credentials:
aws-vault login myprofile
Getting Started
-
Install aws-vault:
- macOS:
brew install aws-vault - Linux: Download the latest release from GitHub
- Windows: Use Scoop or download the latest release from GitHub
- macOS:
-
Add an AWS profile:
aws-vault add myprofile -
Use aws-vault to run AWS CLI commands:
aws-vault exec myprofile -- aws s3 ls -
For SDK usage, set the following environment variables:
export AWS_VAULT=myprofile -
Run your application or script as usual, and aws-vault will handle credential management.
Competitor Comparisons
Simple and flexible tool for managing secrets
Pros of sops
- Supports multiple cloud providers and key management systems (AWS, GCP, Azure, PGP)
- Encrypts specific values within files, allowing version control of encrypted files
- Can be used with various file formats (YAML, JSON, ENV, INI)
Cons of sops
- Requires manual encryption and decryption of files
- Less integrated with AWS-specific workflows
- May require additional setup for non-AWS environments
Code comparison
sops:
myapp:
db:
user: ENC[AES256_GCM,data:...]=
password: ENC[AES256_GCM,data:...]=
aws-vault:
$ aws-vault exec myprofile -- aws s3 ls
Key differences
- sops focuses on file-based encryption, while aws-vault manages AWS credentials
- sops is more versatile for multi-cloud environments
- aws-vault provides a simpler workflow for AWS-specific tasks
- sops requires manual file handling, while aws-vault automates credential management
Use cases
- Use sops for encrypting configuration files across multiple cloud providers
- Choose aws-vault for streamlined AWS credential management and command execution
A tool for secrets management, encryption as a service, and privileged access management
Pros of Vault
- More comprehensive secret management solution, supporting various backends and authentication methods
- Offers advanced features like dynamic secrets, encryption as a service, and audit logging
- Suitable for enterprise-level deployments and multi-cloud environments
Cons of Vault
- More complex setup and configuration compared to aws-vault
- Requires additional infrastructure and resources to run
- Steeper learning curve for users and administrators
Code Comparison
aws-vault:
aws-vault exec myprofile -- aws s3 ls
Vault:
vault kv get -field=AWS_ACCESS_KEY_ID secret/aws/creds
vault kv get -field=AWS_SECRET_ACCESS_KEY secret/aws/creds
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
aws s3 ls
Summary
aws-vault is a lightweight tool specifically designed for managing AWS credentials, while Vault is a full-featured secret management platform. aws-vault excels in simplicity and ease of use for AWS-specific tasks, whereas Vault offers broader functionality and scalability for diverse secret management needs across multiple environments and services. The choice between the two depends on the scope of your project, infrastructure requirements, and the complexity of your secret management needs.
A Kubernetes controller and tool for one-way encrypted Secrets
Pros of sealed-secrets
- Designed specifically for Kubernetes, providing native integration and security for K8s secrets
- Allows version control of encrypted secrets, enhancing collaboration and auditing
- Supports multiple encryption keys and key rotation for improved security
Cons of sealed-secrets
- Limited to Kubernetes environments, less versatile for non-K8s use cases
- Requires additional setup and management of the SealedSecret controller
- May have a steeper learning curve for teams not familiar with Kubernetes concepts
Code Comparison
sealed-secrets:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
spec:
encryptedData:
secret-key: AgBy3i4OJSWK+PiTySYZZA==
aws-vault:
$ aws-vault exec myprofile -- aws s3 ls
$ aws-vault add myprofile
$ aws-vault login myprofile
Summary
sealed-secrets is tailored for Kubernetes environments, offering robust secret management within K8s clusters. It excels in version control and key management but is limited to Kubernetes use cases. aws-vault, on the other hand, focuses on AWS credential management and is more versatile for general AWS interactions, but lacks the specific Kubernetes integration that sealed-secrets provides.
Safely store secrets in Git/Mercurial/Subversion
Pros of Blackbox
- Supports multiple version control systems (Git, Mercurial, Subversion)
- Can encrypt entire files, not just specific credentials
- Works with any type of file, not limited to AWS credentials
Cons of Blackbox
- Requires GPG for encryption, which can be complex to set up
- Less focused on cloud service credentials management
- May require more manual intervention for key rotation
Code Comparison
Blackbox (encrypting a file):
blackbox_edit_start secret.txt
# Edit the file
blackbox_edit_end secret.txt
aws-vault (using temporary credentials):
aws-vault exec myprofile -- aws s3 ls
Key Differences
- Scope: Blackbox is a general-purpose encryption tool for VCS, while aws-vault focuses specifically on AWS credential management.
- Encryption: Blackbox uses GPG for file encryption, aws-vault uses the OS keychain for credential storage.
- Usage: Blackbox requires manual encryption/decryption of files, aws-vault automates credential retrieval and rotation.
- Integration: aws-vault integrates tightly with AWS services, while Blackbox works with any file in version control.
Both tools aim to improve security practices, but aws-vault is more specialized for AWS environments, while Blackbox offers broader applicability across different version control systems and file types.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
AWS Vault
AWS Vault is a tool to securely store and access AWS credentials in a development environment.
AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.
Check out the announcement blog post for more details.
Installing
You can install AWS Vault:
- by downloading the latest release
- on macOS with Homebrew Cask:
brew install --cask aws-vault - on macOS with MacPorts:
port install aws-vault - on Windows with Chocolatey:
choco install aws-vault - on Windows with Scoop:
scoop install aws-vault - on Linux with Homebrew on Linux:
brew install aws-vault - on Arch Linux:
pacman -S aws-vault - on Gentoo Linux:
emerge --ask app-admin/aws-vault(enable Guru first) - on FreeBSD:
pkg install aws-vault - on OpenSUSE: enable devel:languages:go repo then
zypper install aws-vault - with Nix:
nix-env -i aws-vault - with asdf-vm:
asdf plugin-add aws-vault https://github.com/karancode/asdf-aws-vault.git && asdf install aws-vault <version>
Documentation
Config, usage, tips and tricks are available in the USAGE.md file.
Vaulting Backends
The supported vaulting backends are:
- macOS Keychain
- Windows Credential Manager
- Secret Service (Gnome Keyring, KWallet)
- KWallet
- Pass
- Encrypted file
Use the --backend flag or AWS_VAULT_BACKEND environment variable to specify.
Quick start
# Store AWS credentials for the "jonsmith" profile
$ aws-vault add jonsmith
Enter Access Key Id: ABDCDEFDASDASF
Enter Secret Key: %%%
# Execute a command (using temporary credentials)
$ aws-vault exec jonsmith -- aws s3 ls
bucket_1
bucket_2
# open a browser window and login to the AWS Console
$ aws-vault login jonsmith
# List credentials
$ aws-vault list
Profile Credentials Sessions
======= =========== ========
jonsmith jonsmith -
# Start a subshell with temporary credentials
$ aws-vault exec jonsmith
Starting subshell /bin/zsh, use `exit` to exit the subshell
$ aws s3 ls
bucket_1
bucket_2
How it works
aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.
AWS Vault then exposes the temporary credentials to the sub-process in one of two ways
- Environment variables are written to the sub-process. Notice in the below example how the AWS credentials get written out
$ aws-vault exec jonsmith -- env | grep AWS AWS_VAULT=jonsmith AWS_DEFAULT_REGION=us-east-1 AWS_REGION=us-east-1 AWS_ACCESS_KEY_ID=%%% AWS_SECRET_ACCESS_KEY=%%% AWS_SESSION_TOKEN=%%% AWS_CREDENTIAL_EXPIRATION=2020-04-16T11:16:27Z - Local metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible.
$ aws-vault exec --server jonsmith -- env | grep AWS AWS_VAULT=jonsmith AWS_DEFAULT_REGION=us-east-1 AWS_REGION=us-east-1 AWS_CONTAINER_CREDENTIALS_FULL_URI=%%% AWS_CONTAINER_AUTHORIZATION_TOKEN=%%%
The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.
Roles and MFA
Best-practice is to create Roles to delegate permissions. For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.
First you'll need to create the users and roles in IAM, as well as setup an MFA device. You can then set up IAM roles to enforce MFA.
Here's an example configuration using roles and MFA:
[default]
region = us-east-1
[profile jonsmith]
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith
[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly
[profile foo-admin]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith
[profile bar-role1]
source_profile = jonsmith
role_arn = arn:aws:iam::333333333333:role/Role1
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith
[profile bar-role2]
source_profile = bar-role1
role_arn = arn:aws:iam::333333333333:role/Role2
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith
Here's what you can expect from aws-vault
| Command | Credentials | Cached | MFA |
|---|---|---|---|
aws-vault exec jonsmith --no-session | Long-term credentials | No | No |
aws-vault exec jonsmith | session-token | session-token | Yes |
aws-vault exec foo-readonly | role | No | No |
aws-vault exec foo-admin | session-token + role | session-token | Yes |
aws-vault exec foo-admin --duration=2h | role | role | Yes |
aws-vault exec bar-role2 | session-token + role + role | session-token | Yes |
aws-vault exec bar-role2 --no-session | role + role | role | Yes |
Development
The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:
$ codesign --verify --verbose $(which aws-vault)
If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate -> Certificate Type: Code Signing. You can then sign your binary with:
$ go build .
$ codesign --sign <Name of certificate created above> ./aws-vault
References and Inspiration
- https://github.com/pda/aws-keychain
- https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users
- https://github.com/makethunder/awsudo
- https://github.com/AdRoll/hologram
- https://github.com/realestate-com-au/credulous
- https://github.com/dump247/aws-mock-metadata
- https://boto.readthedocs.org/en/latest/boto_config_tut.html
Top Related Projects
Simple and flexible tool for managing secrets
A tool for secrets management, encryption as a service, and privileged access management
A Kubernetes controller and tool for one-way encrypted Secrets
Safely store secrets in Git/Mercurial/Subversion
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot