Securely store and access credentials for AWS. AWS Vault stores IAM credentials in your operating systems secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the aws cli tools, and is aware of your profiles and configuration in
Currently OSX/Keychain and Linux/KWallet are supported, support for Linux's libsecret and Windows planned.
Download the latest release. The OSX release is code-signed, and you can verify this with
codesign -dvvv aws-vault.
$ aws-vault add home Enter Access Key Id: ABDCDEFDASDASF Enter Secret Key: % $ aws-vault exec default -- aws s3 ls bucket_1 bucket_2 $ aws-vault add work Enter Access Key Id: ABDCDEFDASDASF Enter Secret Key: % $ aws-vault exec work -- aws s3 ls another_bucket
Notice in the above how a session token gets written out. This is because
aws-vault uses Amazon's STS service
to generate temporary credentials them via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.
The credentials are exposed to the subprocess in one of two ways, the default is to create a metadata server idential to what AWS EC2 instances retrieve IAM roles from, and exposing it to the subprocess via
HTTP_PROXY. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible.
For things that don't support this approach, there is the
--write-env flag to
exec which will write out the environment variables, as was the default in earlier versions of
If you have an MFA device attached to your account, the STS service will generate session tokens that are invalid unless you provide an MFA code. To enable MFA for a profile, specify the MFA serial in
[profile default] mfa_serial=arn:aws:iam::123456789012:mfa/jonsmith
You can retrieve the MFA's serial (ARN) in the web console, or you can usually derive it pretty easily using the format `arn:aws:iam::[account-id]:mfa/[your-iam-username].
Note that if you have an account with an MFA associated, but you don't provide the IAM, you are unable to call IAM services, even if you have the correct permissions to do so.
Best-practice is to have a read-only account that you use on a day-to-day basis, and then use IAM roles to assume temporary admin privileges along with an MFA.
First you'll need to setup an MFA token in the AWS Console and create a role with admin access.
~/.aws/config to add the role_arn and MFA serial number into a new profile:
[profile read-only] region=us-east-1 [profile admin] mfa_serial = arn:aws:iam::123456789012:mfa/jonsmith source_profile = read-only role_arn = arn:aws:iam::123456789012:role/admin-access
Then when you use the
aws-vault will look in the
read-only profile's keychain for credentials and then use those credentials to assume the
admin role. This assumed role is stored as a short duration session in your keychain so you will only have to enter MFA once per session.
Developed with golang 1.5 with
GO15VENDOREXPERIMENT=1, to install:
export GO15VENDOREXPERIMENT=1 go get github.com/99designs/aws-vault
References and Inspiration
There is no documentation for this package.