At globaldatanet we always advocate a strong authentication when interacting with the AWS APIi. We happily recognize that SSO is now a part of the AWS CLI Version 2, but in our projects we still have to handle local IAM API access keys for our development and our customers. To mitigate the drawback of storing sensitive date as cleartext in your credentials file, we use AWS-Vault to store and access the API keys in a secure way.
AWS Vault is an opensource tool published under the MIT license. It stores IAM credentials in your local securtiy store. AWS Vault supports security backends for Mac OS, Linux and Windows. It is using the stored credentials to request temporary credentials from Amazons's STS service. Temporary credentials have a limited lifetime which reduces the risk of leaking. The temporary credentials are then exposed as environment variables to the executed process.
$ brew cask install aws-vault Warning: Cask 'aws-vault' is already installed.
First you need to store new credentials in your vault.
test Enter Access Key ID: ABDCDEFDASDASF Enter Secret Access Key: 8TdTeIxTNunauw3ZlPhG72i9XU7j10HAFHJhzKY9 Added credentials to profile "test"
Execute any command.
$ aws-vault exec
test -- env
grep AWS AWS_VAULT=test AWS_DEFAULT_REGION=eu-central-1 AWS_REGION=eu-central-1 AWS_ACCESS_KEY_ID=%%% AWS_SECRET_ACCESS_KEY=%%% AWS_SESSION_TOKEN=%%% AWS_SECURITY_TOKEN=%%% AWS_SESSION_EXPIRATION=2020-03-24T15:15:40Z
For the full documentation check out the Github repository.
If you execute aws-vault without additional commands, it will start a new shell and expose the environment variables in this sub shell.
$ aws-vault exec
test $ grep
env AWS AWS_VAULT=test AWS_DEFAULT_REGION=eu-central-1 AWS_REGION=eu-central-1 AWS_ACCESS_KEY_ID=%%% AWS_SECRET_ACCESS_KEY=%%% AWS_SESSION_TOKEN=%%% AWS_SECURITY_TOKEN=%%% AWS_SESSION_EXPIRATION=2020-03-24T15:15:40Z
Further information and the source code can be found here: