This article will walk you through step-by-step procedures to secure AWS CLI credentials using the aws-vault
tool.
Why aws-vault
?
Configuring the AWS CLI saves the AWS access key and secret key in plain text format under ~/.aws/credentials
file. This is a security concern since the location is known, anybody can scan/look for the keys, and credentials can be compromised.
Hence, to store AWS keys more securely, we need some tool/software to keep the keys in encrypted format rather than plain text. We are discussing the aws-vault open-source tool widely used to secure AWS keys.
Also read: Setting up WSL for Sysadmin work.
How to install and configure aws-vault in WSL?
We will use the pass
as a secure backend for aws-vault while configuring it in WSL as the pass
is a native Linux password manager. The list of compatible secure backends for aws-vault
can be found here.
Install pass
utility in WSL. You can leverage package manager depending on your Linux flavour.
# apt install pass
The next step is to generate the gpg key. You will be prompted to enter a password for the key in this process. This password is necessary to unlock password storage for fetching the passwords within.
$ gpg --generate-key
...
GnuPG needs to construct a user ID to identify your key.
Real name: shrikant
Email address: info@kerneltalks.com
You selected this USER-ID:
"shrikant <info@kerneltalks.com>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
...
pub rsa3072 2022-09-25 [SC] [expires: 2024-09-24]
110577AFEE906D84224719BCD0F123xxxxxxxxxx
uid shrikant <info@kerneltalks.com>
sub rsa3072 2022-09-25 [E] [expires: 2024-09-24]
Initiate the new password storage along with gpg key encryption. Use gpg key created in the previous step in the below command –
$ pass init -p aws-vault 110577AFEE906D84224719BCD0F123xxxxxxxxxx
mkdir: created directory '/root/.password-store/aws-vault'
Password store initialized for 110577AFEE906D84224719BCD0F123xxxxxxxxxx (aws-vault)
Now, the pass
backend is ready to use with aws-vault
.
Install aws-vault
. Simply grab the latest release from here. Move and rename it to one of the binary directories and assign execute permission.
$ wget https://github.com/99designs/aws-vault/releases/download/v6.6.0/aws-vault-linux-amd64
$ mv aws-vault-linux-amd64 /usr/local/sbin/aws-vault
$ chmod +x /usr/local/sbin/aws-vault
You have pass
configured and aws-
vault installed. Your system is ready to save the AWS credentials in aws-vault
.
By default, aws-vault
considers keyctl
backend. Export the below variables for configuring it with pass
backend. It’s good to export them in the login profile of WSL so that they will be exported for all your future shell sessions.
$ export AWS_VAULT_BACKEND=pass
$ export AWS_VAULT_PASS_PASSWORD_STORE_DIR=/root/.password-store/aws-vault
Add your AWS credentials in aws-vault
with the below command –
# aws-vault add my-aws-account
Enter Access Key ID: XXXXXXXXXXXXX
Enter Secret Access Key:
Added credentials to profile "my-aws-account" in vault
my-aws-account
is an account alias/name for identification purposes only.
Verify if aws-vault
saved the credentials in pass password storage.
$ pass show
Password Store
└── aws-vault
└── my-aws-account
At this point, you have successfully secured your AWS credentials, and you can safely remove ~/.aws/credentials
file. If you have more than one AWS account configured in the credentials file, add all of them into aws-vault before deleting it.
pass
saves the password storage in ~/.password-store
in encrypted format.
$ ls -lrt ~/.password-store/aws-vault/
total 8
-rw------- 1 root root 41 Sep 25 22:01 .gpg-id
-rw------- 1 root root 831 Sep 25 14:22 my-aws-account.gpg
How to use aws-vault?
When you want to run any command using AWS CLI, you can execute it like this –
$ aws-vault exec <profile-name> -- aws <cli-command>
# aws-vault exec my-aws-account -- aws s3 ls
Here: my-aws-account
is the AWS profile name. aws-
vault also reads the ~/.aws/config
file to figure out AWS profiles configured on the machine.
You can authenticate properly with credentials stored securely in the encrypted form! aws-vault
also handles the IAM role and MFA prompts defined in AWS profiles.
Error troubleshooting
gpg: decryption failed: No secret key
pass
password storage is locked and needs to be unlocked. Run pass show <password-name>
, and it should prompt for the gpg key password.
$ pass show my-aws-account
┌───────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key: │
│ "shrikant <info@kerneltalks.com>" │
│ 3072-bit RSA key, ID 0DB81DDFxxxxxxxx, │
│ created 2022-09-25 (main key ID D0F123Bxxxxxxxxx). │
│ │
│ │
│ Passphrase: _________________________________________________ │
│ │
│ <OK> <Cancel> │
└───────────────────────────────────────────────────────────────┘
Now, try the aws-vault
command, and it should work fine.
aws-vault: error: Specified keyring backend not available, try --help
Ensure you have exported both parameters mentioned in the above configuration steps so that aws-
vault will use the pass
backend.
aws-vault: error: exec: Failed to get credentials for kerneltalks-test: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: e514d0e5-b8b6-4144-8616-05061eeed00c, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
It points to the wrong access/secret key combination added to the secure vault. Delete the respective key from the vault and re-add it. If you lost your secret key, then re-create new pair from the AWS console and add it to the key-vault
.
$ aws-vault remove kerneltalks-test
Delete credentials for profile "kerneltalks-test"? (y|N) y
Deleted credentials.
$aws-vault add kerneltalks-test
Enter Access Key ID: xxxxxxxxxx
Enter Secret Access Key:
Added credentials to profile "kerneltalks-test" in vault
aws-vault: error: rotate: Error creating a new access key: operation error IAM: CreateAccessKey, https response error StatusCode: 403, RequestID: 2392xxxx-x452-4bd4-80c3-452403baxxxx, api error InvalidClientTokenId: The security token included in the request is invalid
If the profile is enabled with MFA and you are trying to run some IAM modification, then you should encounter the above error. Use --no-session
flag with the command. Read in-depth regarding the no-session flag here.