You know all those “accessKeys (9).csv” files that are lying around in your Downloads folder? And then you have the ~/.aws/credentails file, that is all in clear text?
I mean, we are trying to do everything as securely as possible, but then AWS doesn’t have the minimal encryption for these credentials.
Well, aws-vault by 99 Designs is a sweet little tool that lets you use your OS key/password manager to safely store AWS credentials.
Adding the credentials
aws-vault add pushbuildtestdeploy
For me, a mac user, the default backend, is the OS X Keychain. You can specify a different backend, such as a file, using the –backend flag.
At this point, if you don’t already have a profile in ~/.aws/config, aws-vault will create one for you.
Running aws-cli commands
By default, when you run the aws-vault command, it will pass on environment variables to the target command or shell.
You have two options when using the environment variable mode:
Pass the aws-vault credentials to the command:
aws-vault exec pushbuildtestdeploy -- aws eks list-clusters
Open a child shell where you can type multiple commands without prefixing them with aws-vault:
aws-vault exec pushbuildtestdeploy
Using aws-vault to log in to the AWS Management Console
Another neat feature is that it allows you to open up the AWS management console from the command line:
aws login pushbuildtestdeploy
Run it, and the browser will open the AWS console under the specified user.
If you work with multiple AWS accounts, this is a killer feature. Beats my old “chrome profiles + password managers” solution.
AWS-Vault also supports Multi-Factor Authentication (MFA) - [https://github.com/99designs/aws-vault/#roles-and-mfa]