Playing Around with AWS-Vault for Fun & Profit
Updated July 8, 2024.
Introduction
AWS-Vault is an excellent open-source tool by 99Designs that enables developers to store AWS credentials in their machine keystore securely. After using it for a while at Jit, I decided to dig deeper into how it works and learned a lot along the way. In this article, I will summarize and simplify the information I learned to help others with their aws-vault adoption and lower the barrier to usage.
I will start with a basic explanation of AWS access keys, the Session Token Service, and its helpful API calls. Then I will show how aws-vault uses it to provide a secure way to access AWS resources, reducing the risk of exposing AWS credentials. In addition, I will represent a typical AWS account pattern, and again we'll see how aws-vault works perfectly with it.
AWS Access Keys
AWS makes it possible to create a set of access keys for a specific user (those are called aws_access_key_id and aws_secret_access_key). Together with these keys, it's possible to authenticate to AWS and perform actions on behalf of the user.
When using Python, for example, it's possible to use the boto3 library, which is the AWS Software Development Kit for Python, to authenticate to AWS:
With such a configuration file, long-lived credentials are stored in plain text on the user's machine. That's a security risk, as anyone with access to the device or the file can steal the credentials to perform actions on behalf of the user.
That is why developers and teams have moved on to more secure authentication practices, such as using session tokens.
Session Tokens
But hang on a minute, as this example uses the long-lived credentials to authenticate to STS and get the temporary credentials. So, how could this possibly solve the problem of having unencrypted long-lived credentials on a user's machine?
That is where aws-vault comes in. But just before diving into aws-vault, let's first look at popular STS API calls.
AWS STS
STS, which stands for AWS Security Token Service, is a web service that enables you to request temporary, limited-privilege credentials for AWS IAM users or IAM roles. All temporary credentials consist of an access key ID, a secret access key, and a session token. These three credentials are then used to sign requests to any AWS service.
GetSessionToken
GetSessionToken is an API call that fetches temporary credentials for an IAM user. The simplest example is when a user uses its long-lived credentials to request temporary credentials (for any reason), where a widespread use case for this API call is when a user wants to authenticate to AWS using MFA. If MFA is used, the received credentials can be used to access APIs requiring MFA authentication.
AWS Vault
Now let's see where AWS Vault comes in to add a layer of security, preventing the storage of long-lived credentials in regular system files.
Copied from the project’s README:
For instance, in macOS, the credentials are stored encrypted in the Keychain Access app and can be viewed under 'Custom Keychains.'
The session credentials are also stored in the same keychain to be used until they expire.
A developer in such an organization will probably have an AWS configuration file that looks like this:
This is where the beauty of aws-vault, together with this pattern, comes in. At first glance, it's possible to think that aws-vault would ask for a session token for each environment (as it's in a different profile and AWS account). But, if you remember the previous section, GetSessionToken requests credentials for an IAM user, not for an IAM role. And in this case, the developer only has one user, which exists in the management account.
Usually, these roles will have a condition requiring MFA to be assumed. So, why isn't the MFA being asked for each time the developer switches between environments? That's thanks to the fact that a session token that was created using MFA can be used to assume a role that requires MFA, and aws-vault is smart enough to know that both roles use the same MFA device.
Wrap Up
AWS-Vault is a powerful open-source tool to help add a layer of much-needed essential security for AWS users and developers. It is also built on top of the classic AWS config file, helping to avoid extra configuration and pains of usage.
I hope the examples provided will help you ramp up aws-vault more quickly and unleash the security capabilities this tool offers AWS users.
