├── README.md └── browsers.md /README.md: -------------------------------------------------------------------------------- 1 | # aws-vault quick guide 2 | Official tool at https://github.com/99designs/aws-vault 3 | 4 | ## Managment 5 | * Add aws-vault profiles 6 | > $ aws-vault --debug add \ 7 | 8 | * Login to AWS Console 9 | > $ aws-vault --debug login \ 10 | 11 | * Rotate aws-vault keys 12 | > $ aws-vault --debug rotate \ 13 | 14 | * List aws-vault profiles, roles and sessions 15 | > $ aws-vault --debug list 16 | 17 | * Remove aws-vault keys 18 | > $ aws-vault --debug remove \ 19 | 20 | * Clear aws-vault sessions 21 | > $ aws-vault --debug remove --sessions-only \ 22 | 23 | 24 | ## Usage 25 | * aws-vault basic use with subshell 26 | > $ aws-vault --debug exec \ -- 27 | 28 | Starts a sub shell with the following ENV: 29 | 30 | `AWS_DEFAULT_REGION=eu-west-1, AWS_REGION=eu-west-1, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN` 31 | 32 | * aws-vault basic use with inline command 33 | > $ aws-vault --debug exec \ -- aws s3 ls 34 | 35 | * Use aws-vault with custom ttl 36 | > $ aws-vault --debug exec \ --session-ttl=15m --assume-role-ttl=1h -- 37 | 38 | * Use aws-vault with --server backend 39 | > $ aws-vault --debug exec \ --session-ttl=1h --assume-role-ttl=8h --server 40 | 41 | A local EC2 Instance Metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible. 42 | 43 | 44 | # aws config 45 | [~/.aws/config example](https://github.com/FernandoMiguel/kb/blob/master/aws/config) 46 | 47 | # Multiple roles in browsers 48 | [to start a new chrome/firefox profile per role](browsers.md) 49 | 50 | [Using aws-vault with multiple Chrome windows by Ben Bridts](https://www.cloudar.be/awsblog/using-aws-vault-with-mulitple-browser-windows/) 51 | 52 | 53 | 54 | If you use Firefox check out Firefox Multi-account Containers. These allow custom sessions within a single firefox window - each container can be given a unique name, colour and icon. Sessions are isolated to containers, and tabs are colour coded to avoid accidentally using the wrong account. Install containers from the link below; then run `aws-vault login -s \` to produce a one-time URL, open a container tab and paste the URL in to the address bar. 55 | 56 | https://addons.mozilla.org/en-GB/firefox/addon/multi-account-containers/ 57 | 58 | # Linux setup 59 | Connor wrote a guide for linux backend: 60 | https://www.tastycidr.net/using-aws-vault-with-linux/ 61 | 62 | -------------------------------------------------------------------------------- /browsers.md: -------------------------------------------------------------------------------- 1 | # Start aws-vault in Chrome (default profile) for macOS: 2 | 3 | `aws-vault login iso-ne-sandbox --stdout | xargs -t /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome` 4 | 5 | 6 | # Start aws-vault login in a new temporary chrome profile: 7 | 8 | ` $ aws-vault --debug login --stdout | xargs -t /Applications/Google\ Chrome\ Canary.app/Contents/MacOS/Google\ Chrome\ Canary --args --no-first-run --new-window -disk-cache-dir=$(mktemp -d /tmp/chromecanary.XXXXXX) --user-data-dir=$(mktemp -d /tmp/chromecanary.XXXXXX) ` 9 | 10 | 11 | ## You can add the following alias to your bash_rc 12 | 13 | ` $ alias awslogin='aws-vault --debug login --stdout | xargs -t /Applications/Google\ Chrome\ Canary.app/Contents/MacOS/Google\ Chrome\ Canary --args --no-first-run --new-window -disk-cache-dir=$(mktemp -d /tmp/chromecanary.XXXXXX) --user-data-dir=$(mktemp -d /tmp/chromecanary.XXXXXX)' ` 14 | 15 | which allows you to call Roles with: 16 | 17 | `$ p=MY-ROLE && awslogin` 18 | 19 | 20 | ## Firefox and Chrome in private mode 21 | Inspired by https://github.com/blimmer/zsh-aws-vault/blob/master/zsh-aws-vault.plugin.zsh 22 | 23 | ### Chrome 24 | ` $ alias awslogin='aws-vault --debug login --stdout | xargs -t /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --incognito --new-window' ` 25 | 26 | ### Firefox 27 | 28 | ``` 29 | function awslogin() { 30 | _OS=$(uname) 31 | _FF_LOCATION="" 32 | if [[ "${_OS}" == "Linux" ]]; then 33 | _FF_LOCATION=$(which firefox) 34 | fi 35 | if [[ "${_OS}" == "Darwin" ]]; then 36 | _FF_LOCATION=$(which firefox) 37 | fi 38 | aws-vault --debug login $1 --stdout | xargs -t "${_FF_LOCATION}" --private-window 39 | } 40 | ``` 41 | --------------------------------------------------------------------------------