Stay authenticated in awscli with vault
Project description
vault-aws-login
Stay authenticated in awscli with vault without affecting other profiles that you wish to keep un-managed.
Installation & Running
- Make sure consul-template is installed and in your
$PATH - Run
pip3 install --upgrade vault-aws-login - Run
wget -O - https://nhtzr.github.io/vault-aws-login/vault-aws-config.tgz | tar -C "$HOME" -zxf - - Update
~/.vault-aws/configwith:[default] vault_addr = https://vault.engineering.armory.io # (overrides your current VAULT_ADDR env var.) # (leave it empty if you dont want such thing to happen) vault_login_method = <your auth type to vault> # Type of authentication to use such as "userpass" or "ldap". Note this # corresponds to the TYPE, not the enabled path. Use -path to specify the # path where the authentication is enabled. The default is token. # (leave it empty if you dont want this parameter) # (use extra_vl_flags = ["-path", "/your/path"] fort the given example above) vault_login_username = <your vault username> # The -method flag allows using other auth methods, such as userpass, github, or # cert. For these, additional "K=V" pairs may be required. For example, to # authenticate to the userpass auth method: # $ vault login -method=userpass username=my-username # (vault_login_<K> = <V> is also valid for K=V pairs other than username)
Assuming you have aws credentials under the vault secret /aws/dev/sts/admin and you
want to have them available to you under the aws-profile dev, run this command:
vault-aws-login -l dev &
This will keep consul-template running in the background keeping your dev aws-profile credentials
updated and valid. aws --profile dev sts get-caller-identity can help you double-check this.
Overrides, Template, and Configs
As you can see, the -l/--login flag (login_id) conflates both the resulting aws-profile name and
the source vault secret which is a convenient convention, but it is not always ideal.
You can override both the aws-profile and vault secret that will correspond to a given login_id by
adding a login_override section in your ~/.vault-aws-login/confg file:
[login_override dev_as_default]
aws_profile_name = default
vault_secret_path = /aws/dev/sts/admin
Likewise, the login_template describe the generic values that correspond to each login_id:
[login_template]
aws_profile_name = %(login_id)s
vault_secret_path = /aws/%(login_id)s/sts/admin
Both the template and overrides are implemented by python3's ConfigParser.BasicInterpolation and ConfigParser.get(vars=overrides)
The above means both that
- A property in
login_templatecan depend on a property inlogin_override, and viceversa. - In case of a name clash, the property in
login_overridehas higher priority
This allows the templates to render on arbitrary data, and not just the corresponding login_id
(Note: login_id is populated by the script itself, so it cannot be overridden)
The [default] config profile section contains the properties that the main script will use.
Most importantly the args given vault login, and the -l/--login/login_ids you want by default.
You can choose to take those properties from any other section by using the -p/--profile flag,
and you can use a completely different config file with the -c/--config flag as well.
For consul-template specific configs, you can modify ~/.vault-aws-config/credentials.hcl
if you want to fine-tune its behavior. There's also the ~/.vault-aws-config/config option named
extra_ct_flags in the config profile section (.i.e [default]) in case you want to add extra flags like -once.
If you want to keep multiple credentials.hcl files, you might want to setup consul_template_hcl
to different values in different config profile sections
Code overview
The general workflow of this script is:
0. Log into vault if vault token lookup fails.
- Generate the following json and invoke consult-template:
[{ 'aws_profile_name': 'dev' 'vault_secret_path': '/aws/sts/admin' }, .. ] - consul-template generates the following credentials file and invokes aws_credentials_merge:
[dev] aws_access_key_id = <info from vault> aws_secret_access_key = <info from vault> aws_session_token = <info from vault> - aws_credentials_merge takes this new credentials and merges them into
~/.aws/credentials.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file vault-aws-login-0.0.4.macosx-10.12-x86_64.tar.gz.
File metadata
- Download URL: vault-aws-login-0.0.4.macosx-10.12-x86_64.tar.gz
- Upload date:
- Size: 7.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/42.0.2 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 277879a18d82f5dd175906285611fe8596530f59fa597dcd850989946f0b935e |
|
| MD5 | e833b0c45a4b8f5619e52d2d589cf530 |
|
| BLAKE2b-256 | 35bab10f2f787ceb2c764ab69c66488b007000ed8d92acc67c226e530524cc1b |
File details
Details for the file vault_aws_login-0.0.4-py3-none-any.whl.
File metadata
- Download URL: vault_aws_login-0.0.4-py3-none-any.whl
- Upload date:
- Size: 7.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/42.0.2 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2989bdd40e2aaf259265d479ef416fd76a34d73d8e36b8d95ed2b5f512a1975a |
|
| MD5 | bf59e491dd1808817577ce692611928d |
|
| BLAKE2b-256 | 27d52d8859b0439995ae1cd2ff13bf80374b77d8cb7d6c3254b03dbbbc46bad7 |
