vault-aws-credentials-helper is a simple CLI tool that provides the ability to generate dynamic AWS credentials using the HashiCorp Vault's AWS secret engine and integrate seamlessly with the AWS CLI to retrieve dynamic and short-lived credentials. Short-lived credentials enforce security and reduce the risk of a credential leak or corruption.
To learn more about how the credentials are provided to the AWS CLI, please refer to the official AWS documentation: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html.
Currently, the tool supports only the generation of STS AssumeRole credentials.
The support for STS Federation Tokens and IAM Users will be available in a future version.
To be able to use a secret engine in Vault, you must be able to retrieve an authentication token from it. Vault supports a lot of authentication methods, and below the list of the supported authentication method in the tool currently:
You can install vault-aws-credentials-helper easily using go install:
go install github.com/thomasgouveia/[email protected] # Pin the version you wantOr you can download pre-compiled binary from the releases page.
For the following section, we assume that you have a working Vault instance on http://localhost:8200 and that the instance is correctly configured to issue AWS credentials using a Vault role called developer and with the authentication method userpass enabled.
You can retrieve the commands required to deploy a such configuration locally in the examples folder.
The
vault-aws-credentials-helpercan be used without the AWS CLI for development and test purposes. For production use, you must configure your AWS CLI to use it.
Run the following command to test the issuance of credentials with different parameters:
vault-aws-credentials-helper --vault.addr http://localhost:8200 --vault.auth-method userpass --userpass.username john.smith --userpass.password mysuperpassword --aws.role developer --aws.ttl 30mYou should have the following output:
{
"Version": 1,
"AccessKeyId": "<REDACTED>",
"SecretAccessKey": "<REDACTED>",
"SessionToken": "<REDACTED>",
"Expiration": "2023-06-11T22:43:22.017Z"
}See next section or use the flag --help for more information about flags used.
Create a new profile in your ~/.aws/config to indicate the AWS CLI to use an external process to retrieve credentials :
# ~/.aws/config
# ...
[profile developer]
credential_process = /path/to/binary/vault-aws-credentials-helper --vault.addr http://localhost:8200 --vault.auth-method userpass --userpass.username john.smith --userpass.password mysuperpassword --aws.role developer --aws.ttl 30m
# ...In the above command, we use different flags:
--vault.addr: The Vault address to connect.--vault.auth-method: The authentication method to use to login to Vault.--userpass.username: The username of the user to authenticate.--userpass.password: The password of the user to authenticate.--aws.role: The name of the AWS backend role to use to generate credentials.--aws.ttl: The TTL of the credentials.
If you have used the configuration of the example given, the developer role allows you to access EC2 only in region eu-west-3. Let's test this by executing the AWS CLI command:
aws ec2 describe-instances --region eu-west-3 --profile developer
# Should work! Output redacted.If we update the region to eu-west-1, we are not allowed to access EC2:
aws ec2 describe-instances --region eu-west-1 --profile developer
# An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.Please refer to the following CONTRIBUTING.md file for contribution guidelines.
This project is MIT licensed.