Configuring AWS Vault for Secure Credential Management on Linux
Managing AWS credentials securely is critical for developers and engineers. AWS Vault is a fantastic tool that enhances credential security by securely storing and accessing AWS credentials. Here's how to set up AWS Vault on a Linux system.
Note: I have not found a solution for a keychain backend setup. This guide focuses on using the file backend.
Why AWS Vault?
AWS Vault helps:
- Store credentials securely in an encrypted file.
- Avoid hardcoding or saving plain text AWS credentials.
- Use temporary session tokens to interact with AWS services.
Step 1: Install AWS CLI
Before installing AWS Vault, ensure the AWS CLI is set up on your system:
- Download the installation script:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-
Ensure
unzipis installed:- For Ubuntu/Debian:
sudo apt update && sudo apt install unzip -y
-
For Fedora/RHEL:
sudo dnf install unzip -y
- Extract the ZIP file:
unzip awscliv2.zip
- Run the installer:
sudo ./aws/install
- Verify the installation:
aws --version
The output should display the installed version of AWS CLI.
- Clean up temporary files:
rm awscliv2.zip
rm -r aws/
Step 2: Install AWS Vault
Install AWS Vault on Linux:
- Download AWS Vault binary:
sudo curl -L -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/latest/download/aws-vault-linux-amd64
- Set executable permissions:
sudo chmod 755 /usr/local/bin/aws-vault
- Verify installation:
aws-vault --version
Step 3: Configure AWS Vault
AWS Vault works with your AWS CLI configuration. Ensure you have the ~/.aws/config and ~/.aws/credentials files set up.
Use File Backend
Configure AWS Vault to use the file backend by setting the AWS_VAULT_BACKEND environment variable:
- Temporary Setting (For the current session only):
export AWS_VAULT_BACKEND=file
-
Permanent Setting (By adding it to ~/.bashrc or ~/.bash_profile):
echo "export AWS_VAULT_BACKEND=file" >> ~/.bashrc source ~/.bashrc
If your system uses ~/.bash_profile instead of ~/.bashrc, replace ~/.bashrc with ~/.bash_profile in the commands above.
By setting this variable permanently, AWS Vault will always use the file backend without requiring you to re-export the variable in new sessions.
Add a Profile
Add your AWS credentials to AWS Vault using the add command:
aws-vault add <profile-name>
This will prompt you to enter your AWS Access Key and Secret Key. The credentials will be securely stored in an encrypted file.
Next, configure the default AWS region for the profile using the AWS CLI:
aws configure set region <your-region> --profile <profile-name>
Replace <your-region> with the desired AWS region (e.g., ap-southeast-2) and <profile-name> with the profile name you added in aws-vault.
Optional Steps
You can also configure additional settings for your profile:
- Set the MFA serial:
aws configure set mfa_serial arn:aws:iam::<account-id>:mfa/<username> --profile <profile-name>
- Set the role arn:
aws configure set role_arn arn:aws:iam::<account-id>:role/<role-name> --profile <profile-name>
Replace <account-id> with your AWS account ID (e.g., 123456789012), <role-name> with the name of the IAM role you want to assume, and <profile-name> with the profile name you added in aws-vault.
- Set a role session name for better traceability:
aws configure set role_session_name <session-name> --profile <profile-name>
Purpose: The role_session_name provides a unique identifier for your session when assuming a role. It appears in AWS CloudTrail logs, making it easier to trace actions performed during the session.
Best Practices:
- Use a descriptive name that reflects the purpose of the session, such as
dev-sessionortest-session. - Ensure session names are unique to avoid confusion when tracking activities in logs.
Step 4: Test Your Setup
Test the configuration by running an AWS CLI command:
aws-vault exec <profile-name> -- aws sts get-caller-identity
This should return details of your AWS account, confirming that AWS Vault is correctly configured.
Conclusion
AWS Vault is an excellent tool for improving the security of AWS credential management. By storing credentials in an encrypted file, you can reduce the risks associated with plain-text storage.
Have feedback or tips? Share them in the comments below! 🚀
Top comments (0)