How to securely store local AWS credentials

If you're accessing AWS using the aws command line tool, you likely already manage a set of credentials locally. Furthermore, your IAM account may also have enabled MFA authentication on your account, requiring a security token to be input in order to access you or your company's resources.

Solutions using scripts to re-authenticate and acquire new tokens have the disadvantage of needing to be re-exported into different terminal sessions, and the procedure can get cumbersome and repetitive. Furthermore, the presence of a local credential file is less ideal as it isn't encrypted.

A better solution for managing AWS credentials locally is to use aws-vault. This utility allows for management for a set of credentials for each profile specified in  ~/.aws/credentials. Furthermore, this program will store the active session token and correctly use it when other programs use aws utilities. Best of all, it can be set up to trigger re-authentication when your session token expires, minimizing disruption to your daily workflow.

Installation

aws-vault has installation packages provided, instructions can be found here.

For MacOS, it's available via homebrew:

brew install --cask aws-vault

When using aws-vault, it by default is going to create another keychain and store the credentials there - it's 'more secure',  but it's not actually necessary to have a second password. Specifying the login keychain lets you use the same keychain you use on login to MacOS and will prevent you from having to type your password over and over.

Set Up

aws-vault manages a set of credentials for each profile that specified in your ~/.aws/config.

Add a credential for the default profile:

aws-vault add default --keychain=login

Enter Access Key Id: MEOWMEOWMEOWIEHGK
Enter Secret Key: SkejfieoEiwoeneowiuofjoimeowmiaomeow

You'll see a prompt asking you to allow aws-vault to access the keychain - specify Always Allow.

aws-vault has created an entry in your login keychain with the requisite information to connect to AWS with that profile.

Most companies are also going to expect that you use MFA, so be sure that you specify this in your profile in ~/.aws/config:

[default]
mfa_serial = arn:aws:iam:12345678910:mfa/YourIAMUserName

In order to use aws-vault with the aws command, we have to specify a credential process in our ~/.aws/credentials file. We can remove the entries for our Access ID and Secret key under the profile and add the following:

[default]
credential_process = aws-vault exec default --keychain=login --duration=12h --json --prompt=osascript

Where the duration can be set to whatever your MFA policy is set to for your company/organization.

Testing

Test out the commands by running aws s3 ls or another aws command. You may see a prompt to allow aws-vault access to the login keychain, which you should select Always Allow. You'll then see a dialog box where you can enter your MFA code.

You can run aws-vault remove <profile> --sessions-only to revoke the session, if needed.

With this you'll no longer need to use hacky scripts to export your AWS session credentials into the terminal - every time AWS credentials are needed they'll use the stored session credentials in the keychain.

If you're using multiple profiles, add the profile to ~/.aws/config :

[default]
mfa_serial = arn:aws:iam:12345678910:mfa/YourIAMUserName

[profile secondary]
region=eu-west-1

And add another credential process to ~/.aws/credentials :

[default]
credential_process = aws-vault exec default --keychain=login --duration=12h --json --prompt=osascript

[secondary]
credential_process = aws-vault exec secondary --keychain=login --duration=24h --json --prompt=osascript

Keep in mind the --prompt option is optional if you're not using MFA for a profile.

Conclusion

Setting up aws-vault is easy and a huge productivity saver when using AWS resources.  Try it today!