Encrypt your local AWS credentials with aws-vault Sun, Jun 04, 2017

I want to start blogging again, so that means figuring out how my static site generator works again. Turns out its ruby dependencies have rotted, so I'm just gonna copy-paste the html to publish stuff.

Next step: redownload the content from s3. Since I wiped my laptop since I last published, I don't have the original AWS keys I used to post, so I took the opportunity to Do The Right Thing and immediately put my new AWS keys in aws-vault encrypted files.

Normally to use AWS APIs from a workstation command line, you need to pass AWS credentials either via a plaintext config file, or in environment variables, presumably from sourced from a plaintext bashrc file or similar. This leaves your credentials vulnerable if some malware manages to get on your machine and looks for AWS credentials, or if you laptop gets stolen and your hard drive isn't encrypted, or is encrypted but you've already logged in before its been stolen.

You could probably encrypt your AWS credentials file with GPG and have some wrapper script to decrypt it when you're trying to use the AWS command line tools, but aws-vault makes this much more conventient for you. How it works:

  1. Download aws-vault and put it in your PATH. Since it's a Go app, it's a single self-contained binary which is convenient. If you're running Arch Linux, it's also in the AUR

  2. To add your credentials:

    $ aws-vault add my-profile
    Enter Access Key ID:
    Enter Secret Access Key:
    Enter passphrase to unlock /home/carlo/.awsvault/keys:

    The passphrase is the encryption key to encrypt and decrypt those credentials, so don't leave it blank.

  3. To use the credentials:

    $ aws-vault exec personal ./my-script-that-needs-aws-creds
    Enter passphrase to unlock /home/carlo/.awsvault/keys:

Now, your credentials aren't in plaintext at rest. For some extra protection, you can add these parameters:

  • --session-ttl - Defaults to 4h but for increased security, you can reduce that time. Conversely, if you get tired of recreating your aws-vault session, you can increase the time, though it increases the amount of time a bad guy has to use your creds if your machine gets stolen.

  • --mfa-token - If you have multi-factor auth enabled on your IAM account, you can pass those tokens into aws-vault