• Stars
    star
    8,472
  • Rank 4,328 (Top 0.09 %)
  • Language
    Go
  • License
    MIT License
  • Created over 9 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A vault for securely storing and accessing AWS credentials in development environments

AWS Vault

Downloads Continuous Integration

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.

Check out the announcement blog post for more details.

Installing

You can install AWS Vault:

  • by downloading the latest release
  • on macOS with Homebrew Cask: brew install --cask aws-vault
  • on macOS with MacPorts: port install aws-vault
  • on Windows with Chocolatey: choco install aws-vault
  • on Windows with Scoop: scoop install aws-vault
  • on Linux with Homebrew on Linux: brew install aws-vault
  • on Arch Linux: pacman -S aws-vault
  • on Gentoo Linux: emerge --ask app-admin/aws-vault (enable Guru first)
  • on FreeBSD: pkg install aws-vault
  • on OpenSUSE: enable devel:languages:go repo then zypper install aws-vault
  • with Nix: nix-env -i aws-vault
  • with asdf-vm: asdf plugin-add aws-vault https://github.com/karancode/asdf-aws-vault.git && asdf install aws-vault <version>

Documentation

Config, usage, tips and tricks are available in the USAGE.md file.

Vaulting Backends

The supported vaulting backends are:

Use the --backend flag or AWS_VAULT_BACKEND environment variable to specify.

Quick start

# Store AWS credentials for the "jonsmith" profile
$ aws-vault add jonsmith
Enter Access Key Id: ABDCDEFDASDASF
Enter Secret Key: %%%

# Execute a command (using temporary credentials)
$ aws-vault exec jonsmith -- aws s3 ls
bucket_1
bucket_2

# open a browser window and login to the AWS Console
$ aws-vault login jonsmith

# List credentials
$ aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
jonsmith                 jonsmith                 -

# Start a subshell with temporary credentials
$ aws-vault exec jonsmith
Starting subshell /bin/zsh, use `exit` to exit the subshell
$ aws s3 ls
bucket_1
bucket_2

How it works

aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.

AWS Vault then exposes the temporary credentials to the sub-process in one of two ways

  1. Environment variables are written to the sub-process. Notice in the below example how the AWS credentials get written out
    $ aws-vault exec jonsmith -- env | grep AWS
    AWS_VAULT=jonsmith
    AWS_DEFAULT_REGION=us-east-1
    AWS_REGION=us-east-1
    AWS_ACCESS_KEY_ID=%%%
    AWS_SECRET_ACCESS_KEY=%%%
    AWS_SESSION_TOKEN=%%%
    AWS_CREDENTIAL_EXPIRATION=2020-04-16T11:16:27Z
  2. Local metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible.
    $ aws-vault exec --server jonsmith -- env | grep AWS
    AWS_VAULT=jonsmith
    AWS_DEFAULT_REGION=us-east-1
    AWS_REGION=us-east-1
    AWS_CONTAINER_CREDENTIALS_FULL_URI=%%%
    AWS_CONTAINER_AUTHORIZATION_TOKEN=%%%

The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.

Roles and MFA

Best-practice is to create Roles to delegate permissions. For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.

First you'll need to create the users and roles in IAM, as well as setup an MFA device. You can then set up IAM roles to enforce MFA.

Here's an example configuration using roles and MFA:

[default]
region = us-east-1

[profile jonsmith]
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role1]
source_profile = jonsmith
role_arn = arn:aws:iam::333333333333:role/Role1
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role2]
source_profile = bar-role1
role_arn = arn:aws:iam::333333333333:role/Role2
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

Here's what you can expect from aws-vault

Command Credentials Cached MFA
aws-vault exec jonsmith --no-session Long-term credentials No No
aws-vault exec jonsmith session-token session-token Yes
aws-vault exec foo-readonly role No No
aws-vault exec foo-admin session-token + role session-token Yes
aws-vault exec foo-admin --duration=2h role role Yes
aws-vault exec bar-role2 session-token + role + role session-token Yes
aws-vault exec bar-role2 --no-session role + role role Yes

Development

The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:

$ codesign --verify --verbose $(which aws-vault)

If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate -> Certificate Type: Code Signing. You can then sign your binary with:

$ go build .
$ codesign --sign <Name of certificate created above> ./aws-vault

References and Inspiration

More Repositories

1

gqlgen

go generate based graphql server library
Go
9,940
star
2

colorific

Automatic color palette detection
Python
699
star
3

keyring

Go library providing a uniform interface across a range of secure credential stores
Go
579
star
4

iamy

A cli tool for importing and exporting AWS IAM configuration to YAML files
Go
238
star
5

phumbor

A minimal PHP helper for Thumbor
PHP
120
star
6

gqlgen-contrib

Add-ons for gqlgen
Go
85
star
7

cmdstalk

beanstalkd broker; run jobs as unix commands.
Go
73
star
8

aws-ecr-gc

Garbage collector for Amazon ECR docker registry
Go
48
star
9

http-signatures-php

Sign and verify PSR-7 HTTP messages in PHP.
PHP
44
star
10

goodies

A grab-bag of useful Go helper libraries
Go
32
star
11

ergo

A lightweight php5 library for request/response routing, controllers and http interaction.
PHP
29
star
12

httpsignatures-go

A golang http-signatures library
Go
28
star
13

clouddetect

Go package for resolving IP addresses back to published cloud provider public ranges
Go
27
star
14

gqlgen-workshop

Source for a workshop on generating GraphQL servers with gqlgen
Go
24
star
15

thumbor_botornado

Thumbor S3 backend based on botornado async client.
Python
21
star
16

http-signatures-ruby

Sign and verify HTTP messages in Ruby.
Ruby
21
star
17

basicauth-go

HTTP basic auth middleware for golang
Go
19
star
18

telemetry

Golang application monitoring middleware
Go
18
star
19

http-signatures-guzzlehttp

Guzzle 6 support for 99designs http-signatures library
PHP
12
star
20

simpletest

Unit testing, mock objects and web testing framework for PHP built around test cases.
PHP
11
star
21

ecs-upload-task

Upload an ecs task definition and optionally deploy it
Go
11
star
22

httpforwarder

Asynchronously forward HTTP requests
Go
10
star
23

protobuf-playground

Playground and generated docs for Protobuf files
TypeScript
8
star
24

php-desk

PHP client for desk.com API
PHP
7
star
25

dddk

Datadog Development Kit
TypeScript
7
star
26

smartling

Smartling is a library and cli tool for managing Smartling projects
Go
6
star
27

capistrano-rightscale

A Capistrano extension that maps Rightscale tags to Roles
Ruby
4
star
28

rightsignature-php

PHP wrapper around the RightSignature API
PHP
4
star
29

relax

A library for consuming simple REST services in PHP5.
PHP
3
star
30

silex-assets

An asset pipeline for Silex orchestrated by make
PHP
3
star
31

sera

A library for queuing and executing php5 tasks
PHP
3
star
32

http-signatures-guzzle

Guzzle 3 support for 99designs http-signatures library
PHP
2
star
33

cliph

A PHP5.3 library for testable CLI applications
PHP
2
star
34

scopecheck

Go linter checking access to a captured closure var when a closer one is available
Go
2
star
35

twirfony

Symfony support for Twirp
PHP
2
star
36

ergo-http

Http utils extracted from https://github.com/99designs/ergo
PHP
1
star
37

dddk-init

Scaffolding for dddk
TypeScript
1
star
38

sipht

A PHP client for the Sift Science REST API
PHP
1
star