If you’ve been working with AWS for any period of time, you’ll likely have encountered the need to manage your Cloud infrastructure programmatically from your laptop or Mac.
Maybe you use the AWS Command Line Interface (CLI)? You might be using the AWS CDK or a Terraform project? Or maybe you have that script left behind by the guy who left five years ago which is central to all of your deployment processes?
Either way, a common thread running through all of these use-cases is the need to authenticate to AWS in order to proceed with your day.
In this blog, we will examine how you can simplify your authentication flow, whilst making a significant improvement to your Organisation’s security posture, using some free AWS Services and 3rd Party Tooling.
Typical Authentication Flow
Most of us start out by creating what is termed a “Default Profile” for our AWS Credentials.
This is essentially a pair of unique access keys, known as the “Access Key” and “Secret Key”, which when combined during the authentication process, uniquely identify our IAM User to AWS, and enable us to manage our infrastructure via whatever tool we desire.
If you are a macOS or Linux user, these keys will typically be stored in a file on disk at:
If you are a Windows user, these keys will typically be stored in a file on disk at:
- Simple to configure for a single AWS Account
- Authentication to AWS can be entirely transparent to the end-user
- Long-term credentials are stored on the local disk of your laptop in plain-text, which can lead to credential leakage and present a security risk
- Complex to configure when you are Well-Architected and have more than one AWS Account
AWS Vault SSO Authentication Flow
With AWS Single-Sign-On (AWS SSO), you can streamline your authentication flow and improve your security posture using an Open Source 3rd Party tool called AWS Vault.
AWS Vault uses the AWS SSO Service to generate temporary credentials which are then persisted into your operating system credential manager (i.e. macOS Keychain or Windows Credential Manager) rather than locally to disk.
This means that your Access Key and Secret Key, rather than statically being persisted to the disk of your laptop for days, weeks, or even years, are rotated at least daily (The precise rotation frequency will depend on how your administrator has configured AWS SSO).
In this example, we will assume you already have AWS Vault installed, and will focus on how to configure AWS Vault to use AWS SSO; if you need guidance on how to install AWS Vault, please check out the appendix at the end of this blog post.
First, we need to gather a few details about our AWS Environment:
- The AWS SSO Login URL for your company or organisation – this will typically be in the format: https://<YourCompany>.awsapps.com/start
- The AWS Region in which AWS SSO has been configured for your company or organisation – your AWS administrator should be able to advise you on this
- The AWS Region which you wish to default to for your commands; it’s a good idea to configure this to the AWS Region you use primarily – i.e. eu-west-1 (Ireland) or eu-west-2 (London)
- The 12-digit AWS Account number (ID) of the AWS Account which you wish to authenticate to
- The name of the AWS SSO Role which you wish to authenticate with to the AWS Account determined previously
If you are unsure of the 12-digit AWS Account number and / or the name of the AWS SSO Role, you can typically determine these by logging into the AWS SSO Login Portal as shown below.
In our example, we can see that the AWS SSO Role is “AdministratorAccess” and the AWS Account number ends in “6682”
Using your favourite text editor, open the following file (You may need to create this file first, if it does not already exist):
If you are a macOS or Linux user:
If you are a Windows user:
We are now going to add a “Profile” for each AWS Account which we wish to connect, to the end of configuration file using the following syntax:
sso_region=<AWS SSO Region>
region=<Your default AWS Region>
sso_account_id=<AWS Account Number to connect to>
sso_role_name=<AWS SSO Role Name>
Using our example from the screenshot above, if we assume that our AWS administrator has configured AWS SSO in Ireland (eu-west-1) but our infrastructure resides in London (eu-west-2) we would construct a Profile thus:
If you have multiple AWS Accounts (i.e. One for Production, one for Development, one for Security etc.) you must create a separate Profile for each AWS Account. You might end up with a configuration file looking similar to the following:
We are now ready to authenticate to AWS using AWS Vault! The AWS Vault command syntax we will use is:
aws-vault exec <Profile Name> <Command>
In our example, we are going to use the AWS CLI list all S3 Buckets in a profile we have defined called “waf” (Our Well-Architected Example Account)
aws-vault exec waf aws s3 ls
When we issue the AWS Vault command, per the message in our terminal, it will trigger a re-direct in our default web browser to an AWS SSO sign in page (See below). When prompted, you must click “Sign In to AWS CLI” to complete the authentication process.
All Users Note: You will not be prompted with this re-direct every time you run AWS Vault, but only periodically when your AWS SSO session expires (The duration is configured by your AWS administrator)
macOS Users Note: You may be prompted to enter a password for the “aws-vault keychain” (See below). This is an additional layer of security to protect the temporary credentials; ensure you keep a careful note of the password you choose for this Keychain, as you will be periodically prompted to re-enter it, when working with AWS Vault.
Once you are happy that AWS Vault is working for you, don’t forget you can retire that Access Key and Secret Key pair that have been lurking on your hard disk and / or shared around the office on a sticky note for the last few months.
To keep things safe, we always recommend you disable your Access Key and Secret Key pair within the AWS IAM Console for at least a couple of weeks before you delete them; this allows you to easily reinstate the Keys if you discover they have a critical use elsewhere.
We hope you have found this article on AWS Single-Sign-On and AWS Vault useful, and that it has helped you take the next step towards becoming Well-Architected by improving your security posture. Perhaps you could encourage your wider team to adopt the tool, and longer-term even look to remove all long-term Access Keys and Secret Keys?
Alternatively, if you would like to learn more from a real human being (remember what they look like?) feel free to reach out to us Ubertas Consulting. We are a team of highly skilled, experienced and certified consultants – as well as being an AWS Trusted Partner – who can offer tailored advice for all manner of AWS implementations, migrations and modernisations. We’d love to help.
Appendix A: Installing AWS Vault On macOS or Linux
- Download AWS Vault from https://github.com/99designs/aws-vault/releases
- Extract the AWS Vault binary from the archive, and copy to /usr/local/bin/
- Make the AWS Vault binary executable using the following command:
chmod +x /usr/local/bin/aws-vault
Appendix B: Installing AWS Vault On Windows
- Download AWS Vault from https://github.com/99designs/aws-vault/releases
- Copy the downloaded EXE to C:\Program Files\AWS-Vault(You will need to create this folder) and rename it to “aws-vault”
- Open Windows System Properties by entering “control sysdm.cpl” into a Windows Command or PowerShell Terminal
- Navigate to Advanced -> Environment Variables and update the “Path” system variable to append C:\Program Files\AWS-Vault\ to it
- You will now be able to run “aws-vault” from any newly opened Windows Command or PowerShell Terminal