Configuring AWS Vault with the Pass Backend for Secure Credential Management on Linux

Configuring AWS Vault with the Pass Backend for Secure Credential Management on Linux

Managing AWS credentials securely is critical for developers and engineers. AWS Vault is a fantastic tool that enhances credential security by securely storing and accessing AWS credentials. Here's how to set up AWS Vault on a Linux system using the pass backend.

Note: This guide focuses on configuring AWS Vault with the pass backend for enhanced security and integration with your Linux system.

Why AWS Vault?

AWS Vault helps:

• Store credentials securely using the pass backend.
• Avoid hardcoding or saving plain text AWS credentials.
• Use temporary session tokens to interact with AWS services.

Step 1: Install AWS CLI

Before installing AWS Vault, ensure the AWS CLI is set up on your system:

1. Download the installation script:

   curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

1. Ensure unzip is installed:

   • For Ubuntu/Debian:

    sudo apt update && sudo apt install unzip -y
   

• For Fedora/RHEL:
  

   sudo dnf install unzip -y
  

1. Extract the ZIP file:

   unzip awscliv2.zip

1. Run the installer:

   sudo ./aws/install

1. Verify the installation:

   aws --version

The output should display the installed version of AWS CLI.

1. Clean up temporary files:

   rm awscliv2.zip
   rm -r aws/

Step 2: Install AWS Vault

Install AWS Vault on Linux:

1. Download AWS Vault binary:

   sudo curl -L -o /usr/local/bin/aws-vault https://github.com/99designs/aws-vault/releases/latest/download/aws-vault-linux-amd64

1. Set executable permissions:

   sudo chmod 755 /usr/local/bin/aws-vault

1. Verify installation:

   aws-vault --version

Step 3: Configure the pass Backend and Initialize

To use the pass backend with AWS Vault, first set the AWS_VAULT_BACKEND environment variable:

export AWS_VAULT_BACKEND=pass

Pinentry and pass are required for GPG key generation. Ensure that both programs are installed and configured:

• Install pinentry:

  • For Ubuntu/Debian:

   sudo apt update && sudo apt install pinentry-tty -y
  

  • For Fedora/RHEL:

   sudo dnf install pinentry -y
  

• Install pass:

  • For Ubuntu/Debian:

   sudo apt update && sudo apt install pass -y
  

  • For Fedora/RHEL:

   sudo dnf install pass -y
  

• Configure GPG to use the installed pinentry:
  
  

  echo "pinentry-program /usr/bin/pinentry" >> ~/.gnupg/gpg-agent.conf
  gpgconf --kill gpg-agent
  gpgconf --launch gpg-agent

If you don't have a GPG key, generate one:

   gpg --generate-key

Follow the prompts to create a new key.

Automatically initialize pass using the first available GPG key:

   gpg --list-keys --with-colons | awk -F: '/^pub/ {print $5; exit}' | xargs -I {} pass init {}

This command extracts the first GPG key ID from your keyring and initializes pass. Ensure you have at least one GPG key configured.

Step 4: Add a Profile

Add your AWS credentials to AWS Vault using the add command:

aws-vault add <profile-name>

This will prompt you to enter your AWS Access Key and Secret Key. The credentials will be securely stored in an encrypted file.

Next, configure the default AWS region for the profile using the AWS CLI:

aws configure set region <your-region> --profile <profile-name>

Replace <your-region> with the desired AWS region (e.g., ap-southeast-2) and <profile-name> with the profile name you added in aws-vault.

Optional Steps

You can also configure additional settings for your profile:

• Set the MFA serial:

  aws configure set mfa_serial arn:aws:iam::<account-id>:mfa/<username> --profile <profile-name>

• Set the role arn:

  aws configure set role_arn arn:aws:iam::<account-id>:role/<role-name> --profile <profile-name>

Replace <account-id> with your AWS account ID (e.g., 123456789012), <role-name> with the name of the IAM role you want to assume, and <profile-name> with the profile name you added in aws-vault.

• Set a role session name for better traceability:

  aws configure set role_session_name <session-name> --profile <profile-name>

Purpose: The role_session_name provides a unique identifier for your session when assuming a role. It appears in AWS CloudTrail logs, making it easier to trace actions performed during the session.

Best Practices:

• Use a descriptive name that reflects the purpose of the session, such as dev-session or test-session.
• Ensure session names are unique to avoid confusion when tracking activities in logs.

Step 5: Test Your Setup

Test the configuration by running an AWS CLI command:

aws-vault exec <profile-name> -- aws sts get-caller-identity

This should return details of your AWS account, confirming that AWS Vault is correctly configured.

Note: During this process, gpg may prompt you to enter the password for your GPG key. Ensure you remember the password you set during the GPG key creation.

Ensure the pass backend is functioning correctly, and no credential-related errors occur during this test.

Conclusion

AWS Vault is an excellent tool for improving the security of AWS credential management. By storing credentials securely using the pass backend, you can enhance security and integration with your operating system.

Note: If prompted for your GPG key password during use, it is a normal security measure to ensure only authorized access to your credentials.

If you attempt the pass backend, please share your feedback or tips for others exploring this setup. 🚀