AWS Vault: Secure Your AWS Credentials Efficiently
AWS Vault is a powerful open-source tool by 99Designs that allows developers to store AWS credentials securely in their operating system’s keystore. By using AWS Vault, teams can prevent long-lived credentials from being exposed and streamline multi-account access. In this guide, we will explore how AWS Vault works, its integration with AWS services, and how it can enhance security for developers and organizations.
Understanding AWS Access Keys
AWS provides access keys, consisting of an aws_access_key_id and an aws_secret_access_key, to authenticate users and perform actions in AWS. For example, developers using Python can authenticate through the boto3 SDK:
import boto3
session = boto3.Session(
region_name='us-east-1',
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
)
session.client('s3').list_buckets()
Alternatively, the AWS CLI can store credentials in a configuration file:
$ cat ~/.aws/config
[default]
region=us-east-1
aws_access_key_id=***
aws_secret_access_key=***
$ aws s3 lsregion=us-east-1 aws_access_key_id=*** aws_secret_access_key=*** $ aws s3 ls
While convenient, storing long-lived credentials in plain text is risky. Anyone with access to the device can steal them, potentially compromising the account. This is why temporary session tokens and secure credential storage are strongly recommended.
Session Tokens for Enhanced Security
Temporary session tokens provide a safer way to authenticate. These credentials expire after a set period, limiting the impact if stolen. AWS CLI can generate them with:
$ aws sts get-session-token
{
"Credentials": {
"AccessKeyId": "***",
"SecretAccessKey": "***",
"SessionToken": "***",
...
}
}
However, this method still requires initial long-lived credentials. That’s where AWS Vault becomes essential.
AWS Security Token Service (STS) Overview
AWS STS allows the creation of temporary, limited-privilege credentials. These include an access key, secret access key, and session token, used to authenticate AWS API requests. Two common STS calls are:
GetSessionToken
- Generates temporary credentials for an IAM user.
- Can require MFA for additional security.
AssumeRole
- Generates temporary credentials for an IAM role.
- Supports MFA and cross-account access.
| Feature | GetSessionToken | AssumeRole |
|---|---|---|
| Used for | IAM User | IAM Role |
| Requires long-lived credentials | Yes | No |
| Supports MFA | Yes | Yes |
| Cross-account access | No | Yes |
| Maximum session duration | 36 hours | 12 hours |
How AWS Vault Improves Security
AWS Vault eliminates the need to store long-lived credentials in plain text. According to the AWS Vault documentation:
“AWS Vault stores IAM credentials in your operating system’s secure keystore and generates temporary credentials from those to expose to your shell and applications.”
In practical terms:
- AWS Vault saves credentials encrypted in the OS keystore.
- It generates temporary session credentials for shell and application use.
- Even if temporary credentials are stolen, they expire quickly.
Using AWS Vault
To store credentials securely, run:
$ aws-vault add some-developer
Enter Access Key Id: ***
Enter Secret Access Key: ***
On macOS, credentials are stored encrypted in Keychain Access under ‘Custom Keychains.’ Later, temporary credentials are generated and exposed via environment variables:
$ aws-vault exec some-developer -- env | grep AWS
AWS_ACCESS_KEY_ID=***
AWS_SECRET_ACCESS_KEY=***
AWS_SESSION_TOKEN=***
AWS Vault with Multi-Account Patterns
A common practice is using a single management AWS account for IAM users and separate accounts for dev, staging, and production environments. Each environment has IAM roles assumed by the management account users.
This pattern ensures:
- Resource isolation between environments.
- Easier cost monitoring and budgeting.
- Stronger security, especially for production data.
For example, an AWS configuration file may look like:
[default]
region = us-east-1
mfa_serial = arn:aws:iam::1000:mfa/some-developer
[profile some-developer]
credential_process = aws-vault export --format=json some-developer
[profile dev]
role_arn = arn:aws:iam::2000:role/Admin
source_profile = some-developer
[profile staging]
role_arn = arn:aws:iam::3000:role/ReadOnly
source_profile = some-developer
[profile prod]
role_arn = arn:aws:iam::4000:role/ReadOnly
source_profile = some-developerAWS Vault reads source_profile and role_arn to assume roles in other accounts using the same session token. MFA is requested only once per session, simplifying secure environment switching.
$ aws-vault exec dev -- aws lambda invoke --function-name some-function --payload '{}'
$ aws-vault exec staging -- aws lambda list-functions
AWS Vault and ZippyOPS Services
Organizations looking to enhance cloud security and operational efficiency can leverage ZippyOPS. ZippyOPS provides consulting, implementation, and managed services across DevOps, DevSecOps, DataOps, Cloud, Automated Ops, AIOps, MLOps, Microservices, Infrastructure, and Security. By combining AWS Vault with ZippyOPS expertise, teams can achieve:
- Secure credential management.
- Automated role assumption and multi-account access.
- Integration with modern infrastructure and security practices.
Explore more about ZippyOPS offerings:
Conclusion
AWS Vault is an essential tool for developers and organizations to secure AWS credentials, manage temporary sessions, and simplify multi-account access. Using it alongside industry best practices, such as multi-account AWS patterns, greatly enhances both security and operational efficiency.
For organizations seeking expert guidance, ZippyOPS offers consulting, implementation, and managed services. Reach out for a consultation at sales@zippyops.com to learn how your team can adopt AWS Vault and optimize cloud operations.
