Skip to content

Let's you run scripts that use aws-profile when you only have aws-vault. Use aws-profile with aws-vault!

License

Notifications You must be signed in to change notification settings

craigjbass/aws-profile-vault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

aws-profile-vault Rust

This is a really small tool with 1 dependency, so while it hasn't been updated for 2 years, it's still very much "maintained".

This is intended as a drop in replacementish (you'll need aws-vault too) for aws-profile.

Why?

aws-profile is a tool that allows you to run arbitrary commands within specific aws profiles. It stores credentials in plaintext.

aws-vault is a tool that does roughly the same thing. One key difference is that it encrypts your credentials in an appropriate backend. This feels like a good idea.

Some teams have scripts that depend on aws-profile, in order to invoke commands across a variety of AWS accounts and/or roles.

This enables all team members to use aws-vault, but still use the legacy scripts that use aws-profile.

Migrating from aws-profile

Both tools use profiles that can be configured via ~/.aws/config.

  1. If you are using ~/.aws/credentials for profile mapping, port these to ~/.aws/config
  2. Delete ~/.aws/credentials
  3. Install aws-vault, and add your credentials from ~/.aws/credentials.
  4. Ensure aws-profile is removed
  5. Add your credentials to aws-vault as appropriate

Using

  1. Download this tool from github releases and symlink it as aws-profile on your $PATH.
  2. Use it like aws-profile

Compiling

  1. Clone the repository
  2. Ensure you have a Rust compiler installed
  3. cargo build --release

Running the tests

The entire project is defined in src/main.rs, including the tests.

Run cargo test

FAQs

MFA tokens must be entered every time?

If you use include_profile option instead of source_profile, you will find this issue goes away.

1hr max sessions?

If your abitrary command needs to run for longer than 1hr, then the token will expire.

In order to support this use case, we'd need some kind of environment variable to set aws-vault's --no-session flag.