Playing Around with AWS-Vault for Fun & Profit

ohaval

Ohav Almog

Posted on June 12, 2023

Playing Around with AWS-Vault for Fun & Profit

Introduction

AWS-Vault is an excellent open-source tool by 99Designs that enables developers to store AWS credentials in their machine keystore securely. After using it for a while at Jit, I decided to dig deeper into how it works and learned a lot along the way. In this article, I will summarize and simplify the information I learned to help others with their AWS-Vault adoption and lower the barrier to usage.

I will start with a basic explanation of AWS access keys, the Session Token Service, and its helpful API calls. Then I will show how aws-vault uses it to provide a secure way to access AWS resources, reducing the risk of exposing AWS credentials. In addition, I will represent a typical AWS account pattern, and again we'll see how aws-vault works perfectly with it.

AWS Access Keys

AWS makes it possible to create a set of access keys for a specific user (those are called aws_access_key_id and aws_secret_access_key). Together with these keys, it's possible to authenticate to AWS and perform actions on behalf of the user.

When using Python, for example, it's possible to use the boto3 library, which is the AWS Software Development Kit for Python, to authenticate to AWS:

import boto3

session = boto3.Session(
    region_name='us-east-1',
    aws_access_key_id=AWS_ACCESS_KEY_ID,
    aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
)
session.client('s3').list_buckets()
Enter fullscreen mode Exit fullscreen mode

With the AWS CLI, a configuration file can be used to store the access keys, which can then be used in the future to authenticate to AWS as follows:

> cat ~/.aws/config

[default]
region=us-east-1
aws_access_key_id=***
aws_secret_access_key=***

> aws s3 ls
Enter fullscreen mode Exit fullscreen mode

With such a configuration file, long-lived credentials are stored in plain text on the user's machine. That's a security risk, as anyone with access to the device or the file can steal the credentials to perform actions on behalf of the user.

That is why developers and teams have moved on to more secure authentication practices, such as using session tokens.

Session Tokens

Sessions are a more secure approach, allowing the user to create valid temporary credentials for a specific period. Thus, if stolen, the keys might already be expired or will only limit the time the attacker can leverage them.

Below is a code example for how to generate temporary credentials using the AWS CLI:

> aws sts get-session-token
{
    "Credentials": {
        "AccessKeyId": "***",
        "SecretAccessKey": "***",
        "SessionToken": "***",
        ...
        }
}
Enter fullscreen mode Exit fullscreen mode

But hang on a minute, as this example uses the long-lived credentials to authenticate to STS and get the temporary credentials. So, how could this possibly solve the problem of having unencrypted long-lived credentials on a user's machine?

That is where aws-vault comes in. But just before diving into aws-vault, let's first look at popular STS API calls.

AWS STS

STS, which stands for AWS Security Token Service, is a web service that enables you to request temporary, limited-privilege credentials for AWS IAM users or IAM roles. All temporary credentials consist of an access key ID, a secret access key, and a session token. These three credentials are then used to sign requests to any AWS service.

GetSessionToken

GetSessionToken is an API call that fetches temporary credentials for an IAM user. The simplest example is when a user uses its long-lived credentials to request temporary credentials (for any reason), where a widespread use case for this API call is when a user wants to authenticate to AWS using MFA. If MFA is used, the received credentials can be used to access APIs requiring MFA authentication.

AssumeRole

Another method used to get temporary credentials, this time for an IAM role, is AssumeRole. Like GetSessionToken, it returns an access key, a secret access key, and a session token. It's possible to authenticate with an MFA device when assuming a role, and moreover, it's possible to protect an IAM role, requiring it to be assumed with MFA.

GetSessionToken and AssumeRole Comparison

GetSessionToken AssumeRole
Used to receive credentials for IAM User IAM Role
Can be called with only long-lived credentials YES NO
Can be called with MFA YES YES
The received credentials can be used to issue a call to GetSessionToken NO NO
The received credentials can be used to issue a call to AssumeRole YES YES
Maximum session duration 36 hours 12 hours
Cross-account access NO YES

AWS Vault

Now let's see where AWS Vault comes in to add a layer of security, preventing the storage of long-lived credentials in regular system files.

Copied from the project’s README:

“AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications.”

What this means for the end user is that instead of storing the credentials as clear text in a configuration file, they are stored in the OS's secure keystore. That is a safer approach, as the credentials are encrypted and can only be decrypted by the user who created them.

Not only does AWS-Vault store the credentials in the OS's secure keystore, but it also generates temporary credentials from those to expose to the shell and applications. That means that even if the credentials are stolen from the environment or an application, they are only valid for a specific period.

How Does It Work?

First, aws-vault stores the long-lived credentials in the OS's secure keystore. To do it, the aws-vault add command should be used:

# A configured profile can already exist or not. If not, aws-vault will create the profile in `~/.aws/config`.

> aws-vault add some-developer
Enter Access Key Id: ***
Enter Secret Access Key: ***
Enter fullscreen mode Exit fullscreen mode

For instance, in macOS, the credentials are stored encrypted in the Keychain Access app and can be viewed under 'Custom Keychains'.

Then, when requesting to use that profile, aws-vault will generate temporary credentials from the long-lived credentials using GetSessionToken. These temporary credentials are then exposed to the shell and applications using environment variables.

> aws-vault exec some-developer -- env | grep AWS
AWS_ACCESS_KEY_ID=***
AWS_SECRET_ACCESS_KEY=***
AWS_SESSION_TOKEN=***
Enter fullscreen mode Exit fullscreen mode

AWS-Vault also stores the session credentials in the same keychain to be used until they expire.

Image description

Popular AWS Account Pattern

A typical user management pattern and recommended security practice is having a single AWS management account with only IAM users grouped into IAM groups (like developers and admins). Then, in addition to that account, there can be multiple AWS accounts (tagged dev, staging, and prod) with IAM roles that are assumed by the users in the developers and admins groups.

Image description

This pattern has many advantages, and the biggest of them all is resource isolation. Having each environment resource in a different AWS account makes it very unlikely that resources from a dev account will interact, interfere, or be included in the same list of resources in the production environment. In addition, in terms of security, this separation makes it harder to access prod resources or data (which are usually the most valuable) from a development or a staging account.

Not only that but separating accounts also helps by viewing and monitoring cost and usage. With that, setting specific alerts and budgets for each environment is very easy.

A developer in such an organization will probably have an AWS configuration file that looks like this:

[default]
region = us-east-1
mfa_serial = arn:aws:iam::1000:mfa/some-developer

[profile some-developer]
Credential_process = aws-vault export --format=json some-developer

[profile dev]
role_arn = arn:aws:iam::2000:role/Admin
source_profile = some-developer

[profile staging]
role_arn = arn:aws:iam::3000:role/ReadOnly
source_profile = some-developer

[profile prod]
role_arn = arn:aws:iam::4000:role/ReadOnly
source_profile = some-developer
Enter fullscreen mode Exit fullscreen mode

This is where the beauty of aws-vault, together with this pattern, comes in. At first glance, it's possible to think that AWS-Vault would ask for a session token for each environment (as it's in a different profile and AWS account). But, if you remember the previous section, GetSessionToken requests credentials for an IAM user, not for an IAM role. And in this case, the developer only has one user, which exists in the management account.

Thus, the developer will store only a single pair of long-lived keys of the management account in the OS’ secure keystore, as can be seen in the following output:

> aws-vault list

Profile                  Credentials              Sessions                      
=======                  ===========              ========                      
default                  -                        -                             
some-developer           some-developer           sts.GetSessionToken:8h29m31s  
dev                      -                        -                             
staging                  -                        -                             
prod                     -                        -          
Enter fullscreen mode Exit fullscreen mode

AWS-Vault identifies the source_profile and role_arn attributes in the config file and understands it needs to assume each environment role with the same session from the management account's developer profile.

Image description

By leveraging the source_profile property in the ~/.aws/config file, aws-vault will use the credentials from the source_profile to assume the role in the role_arn property. That allows aws-vault to ask for MFA only once and then use the temporary credentials to assume the roles in the other accounts.

Usually, these roles will have a condition requiring MFA to be assumed. So, why isn't the MFA being asked for each time the developer switches between environments? That's thanks to the fact that a session token that was created using MFA can be used to assume a role that requires MFA, and aws-vault is smart enough to know that both roles use the same MFA device.

With this pattern and configuration, developers can easily switch between different environments without a hassle:

> aws-vault exec dev -- aws lambda invoke --function-name some-function --payload '{}'
> aws-vault exec staging -- aws lambda list-functions
Enter fullscreen mode Exit fullscreen mode

Wrap Up

AWS-Vault is a powerful open source security tool to help add a layer of much-needed essential security for AWS users and developers. It is also built on top of the classic AWS config file, helping to avoid extra configuration and pains of usage.

I hope the examples provided will help you ramp up aws-vault more quickly and unleash the security capabilities this tool offers AWS users.

💖 💪 🙅 🚩
ohaval
Ohav Almog

Posted on June 12, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related