I was bouncing around on a couple of different blogs yesterday when I came across this post from the Segment blog on how they manage access to their AWS accounts. In reading through it, we use a lot of similar techniques, although we use Ansible rather than Terraform for managing our users/groups/roles/policies. One thing that did catch my eye was the aws-vault program from 99designs that they adopted to use with Okta.

Having never used aws-vault before, I was really drawn in by two main features. The first is the credentials being stored in a keychain rather than in an unencrypted file on my local hard drive. While I do a pretty good job of securing my machine, it does belong to my employer and is managed, so having the ability to secure the keys is very appealing to me. The second is the mechanism that is built in to rotate the credentials. One of the challenges I have always had is how to keep keys rotated in a good timely manner.

Installing aws-vault was pretty easy on my Mac. A simple brew cask install aws-vault installed it and I after looking over the README on their git repo I was able to log into my first account very quickly.

As I started diving into it the app, one of the things that quickly came up was that I need to be able to enter my MFA. While aws-vault deals with MFA very well, getting it out of 1Password is kinda of a problem. I don’t want to have to leave the command line to be able to get the MFA. When I started googling around for a solution, I learned that 1Password now has a CLI and it works perfectly for what I need to do.

Rather than following the installation instructions on their website I used Homebrew to install the cli and then logged into my personal vault.

brew cask install 1password-cli

op signin example.1password.com wendy_appleseed@example.com A3-~~XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Once you have signed into your vauilt, I setup a couple of aliases, one to log in and the other to generate the MFA password.

alias oplogin='eval $(op signin $my_1password_account)'
alias opguru='op get totp "$my_aws_account"'

Now that I can get the MFA token on the command line, it was really easy to setup an alias and incorporate it into the CLI.

alias avguru='aws-vault exec -m $(opauth) $my_aws_account'

The alias worked well with my personal account, but I have a bunch of different corporate accounts. Thankfully, they all use the same MFA from a centralized auth account. So after setting up my config file to handle the multiple accounts, I added a new alias to get the MFA token for my auth account and then a function that lets me pass the individual account name.

alias opwork='op get totp "$my_aws_account"'

avwork() {
  aws-vault exec -m $(opwork) $1
}

The only issue that I ran into was being able to rotate my tokens on an account that has MFA enabled. There seems to be a bug in the current release that is preventing the app from sending the MFA and the rotate fails. Hopefully they will get it fixed quickly, but I still plan on incorporating the tool into my everyday toolkit.