2 min read

Keeping AWS Credentials Files Secret With AWS Vault

You know all those “accessKeys (9).csv” files that are lying around in your Downloads folder? And then you have the ~/.aws/credentails file, that is all in clear text?

I mean, we are trying to do everything as securely as possible, but then AWS doesn’t have the minimal encryption for these credentials.

Well, aws-vault by 99 Designs is a sweet little tool that lets you use your OS key/password manager to safely store AWS credentials.

Adding the credentials

aws-vault add pushbuildtestdeploy

For me, a mac user, the default backend, is the OS X Keychain. You can specify a different backend, such as a file, using the –backend flag.

At this point, if you don’t already have a profile in ~/.aws/config, aws-vault will create one for you.

Running aws-cli commands

By default, when you run the aws-vault command, it will pass on environment variables to the target command or shell.

You have two options when using the environment variable mode:

  1. Pass the aws-vault credentials to the command:

    aws-vault exec pushbuildtestdeploy -- aws eks list-clusters

  2. Open a child shell where you can type multiple commands without prefixing them with aws-vault:

    aws-vault exec pushbuildtestdeploy

Using aws-vault to log in to the AWS Management Console

Another neat feature is that it allows you to open up the AWS management console from the command line:

aws login pushbuildtestdeploy 

Run it, and the browser will open the AWS console under the specified user.

If you work with multiple AWS accounts, this is a killer feature. Beats my old “chrome profiles + password managers” solution.


AWS-Vault also supports Multi-Factor Authentication (MFA) - [https://github.com/99designs/aws-vault/#roles-and-mfa]

Feeling overwhelmed with all the different tools and concepts in the DevOps world?

An email that dives deep into subjects that are all DevOps

    We won't send you spam. Unsubscribe at any time.
    Powered By ConvertKit