Building DevSecOps solutions using AWS, Terraform and Kubernetes

Using AWS Vault with SSO

  • 18th February 2023
AWS Vault Login - Assume Role

Introduction

Today we’re going to look at configuring aws-vault to use the SSO login details. AWS Vault is a tool used to securely store and access AWS credentials in a development environment.

Hardcoding access keys locally is a bad idea, so we will look at using aws-vault to login via SSO from the CLI.

Prerequisites

I will assume you have installed aws-vault on your machine and that you’re comfortable using the command line.

Add the SSO profile

First up, we will need to configure our profile locally.

Before we get started make sure you have these details to hand:

  • Your SSO url (e.g.: INSERT_SSO_ID.awsapps.com/start)
  • The SSO region
  • The SSO account ID
  • The SSO role you would like to use

These details can all be found on the URL you see when you first login to AWS via SSO.

Now, set up the config file ~/.aws/config and replace the values as indicated.

[profile my-sso-login]
sso_start_url = https://INSERT_SSO_ID.awsapps.com/start
sso_region = us-east-1
sso_account_id = INSERT_ACCOUNT_ID
sso_role_name = INSERT_ROLE_NAME
region = eu-west-2
output = json

AWS Vault can now use these details to connect with.

Login to aws-vault

Now to login, you can just run this query from the command line:

aws-vault login my-sso-login

This will open a browser window, and let you connect to your AWS account. Finally click “Allow” to grant access to aws-vault.

If it works your should see a message like this:

AWS Vault Login - Request Approved

Run commands

Now that you’re logged in, you can start to run some CLI commands. All you need to do is prefix everything with aws-vault exec my-sso-login --.

For example:

aws-vault exec my-sso-login -- aws sts get-caller-identity

This same approach works for terraform too, for example:

aws-vault exec my-sso-login -- terraform plan

Assume a second role using aws-vault

Now, for bonus points you can also chain profiles together. This allows you to assume a different role from within that first account.

All you need to do is add an additional piece of config to ~/.aws/config:

[profile my-assumed-role]
role_arn=INSERT_ROLE_ARN_TO_ASSUME
source_profile=my-sso-login

Now to run commands using this role, we can execute them like so:

aws-vault exec my-assumed-role -- aws sts get-caller-identity

And as the output will indicate, we are now running commands as that second role.

Conclusion

And that’s it! Hopefully this gives you a quick starting point for using aws-vault with SSO in AWS.

AWS Vault is a really useful tool if you switch accounts a lot, so don’t forget to checkout their documentation.

Rhuaridh

Please get in touch through my socials if you would like to ask any questions - I am always happy to speak tech!

Hello, I am a Senior DevSecOps Engineer working in the e-commerce and fintech space. I occassionally like to blog about stuff.

Disclaimer

Technology moves fast, and it's not always possible to keep blog posts up to date.

Please read the disclaimer.