Configuring AWS Vault with the Pass Backend for Secure Credential Management on Linux
Managing AWS credentials securely is critical for developers and engineers. AWS Vault is a fantastic tool that enhances credential security by securely storing and accessing AWS credentials. Here's how to set up AWS Vault on a Linux system using the pass backend.
Note: This guide focuses on configuring AWS Vault with the
passbackend for enhanced security and integration with your Linux system.
Why AWS Vault?
AWS Vault helps:
- Store credentials securely using the
passbackend. - Avoid hardcoding or saving plain text AWS credentials.
- Use temporary session tokens to interact with AWS services.
Step 1: Install AWS CLI
Before installing AWS Vault, ensure the AWS CLI is set up on your system:
- Download the installation script:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-
Ensure
unzipis installed:- For Ubuntu/Debian:
sudo apt update && sudo apt install unzip -y
-
For Fedora/RHEL:
sudo dnf install unzip -y
- Extract the ZIP file:
unzip awscliv2.zip
- Run the installer:
sudo ./aws/install
- Verify the installation:
aws --version
The output should display the installed version of AWS CLI.
- Clean up temporary files:
rm awscliv2.zip
rm -r aws/
Step 2: Install AWS Vault
Install AWS Vault on Linux:
- Download AWS Vault binary:
sudo curl -L -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/latest/download/aws-vault-linux-amd64
- Set executable permissions:
sudo chmod 755 /usr/local/bin/aws-vault
- Verify installation:
aws-vault --version
Step 3: Configure the pass Backend and Initialize
To use the pass backend with AWS Vault, first set the AWS_VAULT_BACKEND environment variable:
export AWS_VAULT_BACKEND=pass
Pinentry and pass are required for GPG key generation. Ensure that both programs are installed and configured:
-
Install
pinentry:- For Ubuntu/Debian:
sudo apt update && sudo apt install pinentry-tty -y- For Fedora/RHEL:
sudo dnf install pinentry -y -
Install
pass:- For Ubuntu/Debian:
sudo apt update && sudo apt install pass -y- For Fedora/RHEL:
sudo dnf install pass -y Configure GPG to use the installed pinentry:
echo "pinentry-program /usr/bin/pinentry" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
If you don't have a GPG key, generate one:
gpg --generate-key
Follow the prompts to create a new key.
Automatically initialize pass using the first available GPG key:
gpg --list-keys --with-colons | awk -F: '/^pub/ {print $5; exit}' | xargs -I {} pass init {}
This command extracts the first GPG key ID from your keyring and initializes pass. Ensure you have at least one GPG key configured.
Step 4: Add a Profile
Add your AWS credentials to AWS Vault using the add command:
aws-vault add <profile-name>
This will prompt you to enter your AWS Access Key and Secret Key. The credentials will be securely stored in an encrypted file.
Next, configure the default AWS region for the profile using the AWS CLI:
aws configure set region <your-region> --profile <profile-name>
Replace <your-region> with the desired AWS region (e.g., ap-southeast-2) and <profile-name> with the profile name you added in aws-vault.
Optional Steps
You can also configure additional settings for your profile:
- Set the MFA serial:
aws configure set mfa_serial arn:aws:iam::<account-id>:mfa/<username> --profile <profile-name>
- Set the role arn:
aws configure set role_arn arn:aws:iam::<account-id>:role/<role-name> --profile <profile-name>
Replace <account-id> with your AWS account ID (e.g., 123456789012), <role-name> with the name of the IAM role you want to assume, and <profile-name> with the profile name you added in aws-vault.
- Set a role session name for better traceability:
aws configure set role_session_name <session-name> --profile <profile-name>
Purpose: The role_session_name provides a unique identifier for your session when assuming a role. It appears in AWS CloudTrail logs, making it easier to trace actions performed during the session.
Best Practices:
- Use a descriptive name that reflects the purpose of the session, such as
dev-sessionortest-session. - Ensure session names are unique to avoid confusion when tracking activities in logs.
Step 5: Test Your Setup
Test the configuration by running an AWS CLI command:
aws-vault exec <profile-name> -- aws sts get-caller-identity
This should return details of your AWS account, confirming that AWS Vault is correctly configured.
Note: During this process, gpg may prompt you to enter the password for your GPG key. Ensure you remember the password you set during the GPG key creation.
Ensure the pass backend is functioning correctly, and no credential-related errors occur during this test.
Conclusion
AWS Vault is an excellent tool for improving the security of AWS credential management. By storing credentials securely using the pass backend, you can enhance security and integration with your operating system.
Note: If prompted for your GPG key password during use, it is a normal security measure to ensure only authorized access to your credentials.
If you attempt the pass backend, please share your feedback or tips for others exploring this setup. 🚀
Top comments (0)