2 min read

Keeping AWS Credentials Files Secret With AWS Vault

You know all those “accessKeys (9).csv” files that are lying around in your Downloads folder? And then you have the ~/.aws/credentails file, that is all in clear text?

I mean, we are trying to do everything as securely as possible, but then AWS doesn’t have the minimal encryption for these credentials.

Well, aws-vault by 99 Designs is a sweet little tool that lets you use your OS key/password manager to safely store AWS credentials.

Adding the credentials

aws-vault add pushbuildtestdeploy

For me, a mac user, the default backend, is the OS X Keychain. You can specify a different backend, such as a file, using the –backend flag.

At this point, if you don’t already have a profile in ~/.aws/config, aws-vault will create one for you.

Running aws-cli commands

By default, when you run the aws-vault command, it will pass on environment variables to the target command or shell.

You have two options when using the environment variable mode:

  1. Pass the aws-vault credentials to the command:

    aws-vault exec pushbuildtestdeploy -- aws eks list-clusters

  2. Open a child shell where you can type multiple commands without prefixing them with aws-vault:

    aws-vault exec pushbuildtestdeploy

Using aws-vault to log in to the AWS Management Console

Another neat feature is that it allows you to open up the AWS management console from the command line:

aws login pushbuildtestdeploy 

Run it, and the browser will open the AWS console under the specified user.

If you work with multiple AWS accounts, this is a killer feature. Beats my old “chrome profiles + password managers” solution.


AWS-Vault also supports Multi-Factor Authentication (MFA) - [https://github.com/99designs/aws-vault/#roles-and-mfa]

Want to learn more about DevOps?

An email that dives deep into subjects that are all DevOps

    We won't send you spam. Unsubscribe at any time.
    Powered By ConvertKit