This article will walk you through step-by-step procedures to secure AWS CLI credentials using the
Configuring the AWS CLI saves the AWS access key and secret key in plain text format under
~/.aws/credentials file. This is a security concern since the location is known, anybody can scan/look for the keys, and credentials can be compromised.
Hence, to store AWS keys more securely, we need some tool/software to keep the keys in encrypted format rather than plain text. We are discussing the aws-vault open-source tool widely used to secure AWS keys.
Also read: Setting up WSL for Sysadmin work.
How to install and configure aws-vault in WSL?
We will use the
pass as a secure backend for aws-vault while configuring it in WSL as the
pass is a native Linux password manager. The list of compatible secure backends for
aws-vault can be found here.
pass utility in WSL. You can leverage package manager depending on your Linux flavour.
# apt install pass
The next step is to generate the gpg key. You will be prompted to enter a password for the key in this process. This password is necessary to unlock password storage for fetching the passwords within.
$ gpg --generate-key ... GnuPG needs to construct a user ID to identify your key. Real name: shrikant Email address: firstname.lastname@example.org You selected this USER-ID: "shrikant <email@example.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O ... pub rsa3072 2022-09-25 [SC] [expires: 2024-09-24] 110577AFEE906D84224719BCD0F123xxxxxxxxxx uid shrikant <firstname.lastname@example.org> sub rsa3072 2022-09-25 [E] [expires: 2024-09-24]
Initiate the new password storage along with gpg key encryption. Use gpg key created in the previous step in the below command –
$ pass init -p aws-vault 110577AFEE906D84224719BCD0F123xxxxxxxxxx mkdir: created directory '/root/.password-store/aws-vault' Password store initialized for 110577AFEE906D84224719BCD0F123xxxxxxxxxx (aws-vault)
pass backend is ready to use with
aws-vault. Simply grab the latest release from here. Move and rename it to one of the binary directories and assign execute permission.
$ wget https://github.com/99designs/aws-vault/releases/download/v6.6.0/aws-vault-linux-amd64 $ mv aws-vault-linux-amd64 /usr/local/sbin/aws-vault $ chmod +x /usr/local/sbin/aws-vault
pass configured and
aws-vault installed. Your system is ready to save the AWS credentials in
keyctl backend. Export the below variables for configuring it with
pass backend. It’s good to export them in the login profile of WSL so that they will be exported for all your future shell sessions.
$ export AWS_VAULT_BACKEND=pass $ export AWS_VAULT_PASS_PASSWORD_STORE_DIR=/root/.password-store/aws-vault
Add your AWS credentials in
aws-vault with the below command –
# aws-vault add my-aws-account Enter Access Key ID: XXXXXXXXXXXXX Enter Secret Access Key: Added credentials to profile "my-aws-account" in vault
my-aws-account is an account alias/name for identification purposes only.
aws-vault saved the credentials in pass password storage.
$ pass show Password Store └── aws-vault └── my-aws-account
At this point, you have successfully secured your AWS credentials, and you can safely remove
~/.aws/credentials file. If you have more than one AWS account configured in the credentials file, add all of them into aws-vault before deleting it.
pass saves the password storage in
~/.password-store in encrypted format.
$ ls -lrt ~/.password-store/aws-vault/ total 8 -rw------- 1 root root 41 Sep 25 22:01 .gpg-id -rw------- 1 root root 831 Sep 25 14:22 my-aws-account.gpg
How to use aws-vault?
When you want to run any command using AWS CLI, you can execute it like this –
$ aws-vault exec <profile-name> -- aws <cli-command> # aws-vault exec my-aws-account -- aws s3 ls
my-aws-account is the AWS profile name.
aws-vault also reads the
~/.aws/config file to figure out AWS profiles configured on the machine.
You can authenticate properly with credentials stored securely in the encrypted form!
aws-vault also handles the IAM role and MFA prompts defined in AWS profiles.
gpg: decryption failed: No secret key
pass password storage is locked and needs to be unlocked. Run
pass show <password-name> , and it should prompt for the gpg key password.
$ pass show my-aws-account ┌───────────────────────────────────────────────────────────────┐ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "shrikant <email@example.com>" │ │ 3072-bit RSA key, ID 0DB81DDFxxxxxxxx, │ │ created 2022-09-25 (main key ID D0F123Bxxxxxxxxx). │ │ │ │ │ │ Passphrase: _________________________________________________ │ │ │ │ <OK> <Cancel> │ └───────────────────────────────────────────────────────────────┘
Now, try the
aws-vault command, and it should work fine.
aws-vault: error: Specified keyring backend not available, try --help
Ensure you have exported both parameters mentioned in the above configuration steps so that
aws-vault will use the
aws-vault: error: exec: Failed to get credentials for kerneltalks-test: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: e514d0e5-b8b6-4144-8616-05061eeed00c, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
It points to the wrong access/secret key combination added to the secure vault. Delete the respective key from the vault and re-add it. If you lost your secret key, then re-create new pair from the AWS console and add it to the
$ aws-vault remove kerneltalks-test Delete credentials for profile "kerneltalks-test"? (y|N) y Deleted credentials. $aws-vault add kerneltalks-test Enter Access Key ID: xxxxxxxxxx Enter Secret Access Key: Added credentials to profile "kerneltalks-test" in vault
aws-vault: error: rotate: Error creating a new access key: operation error IAM: CreateAccessKey, https response error StatusCode: 403, RequestID: 2392xxxx-x452-4bd4-80c3-452403baxxxx, api error InvalidClientTokenId: The security token included in the request is invalid
If the profile is enabled with MFA and you are trying to run some IAM modification, then you should encounter the above error. Use
--no-session flag with the command. Read in-depth regarding the no-session flag here.