Configuring aws-vault 6.X with yubikey on MacOS
aws-vault 6.0 beta releases support yubikey with ykman utility. You can download it from https://github.com/99designs/aws-vault/releases
You can get the installation and configuration guide at https://github.com/99designs/aws-vault/blob/master/USAGE.md#using-a-yubikey
Setup guide is quite clear to enable MFA on AWS web console. You can run aws-iam-create-yubikey-mfa.sh script to configure it as well.
In this blog, I will write about configuring aws-vault and ~/aws/.config examples.
Scenario: I have 3 different AWS accounts(security, stage and prod). All users are created in security account and I have created a role in prod and stage The role in prod and stage have trusted relationship for the security account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CustomRolePolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678(security account):root"
},
"Action": "sts:AssumeRole"
}
]
}For detailed instruction about. configuring role please check my previous article https://medium.com/faun/step-by-step-aws-iam-assumerole-with-aws-vault-configuration-9d5986373c33
Install ykman
Check https://github.com/Yubico/yubikey-manager#installation for other OS installations
brew install ykmanCreate aws-vault profile
Create an access key for your user on AWS securiy account and run
$ aws-vault add security
Enter Access Key ID: AKIA..
Enter Secret Access Key:
Added credentials to profile "security" in vault
Let’s check ~/.aws/config
$ cat ~/.aws/config[profile security]
Configure ~/.aws/config
Now we have any configuration parameters for this profile.
- Get MFA ARN from your account in security account. My user is
iyso my ARN is look like. You can get itSecurity Credentialssection of your IAM user account. Again we don’t have any user inprod and stage
arn:aws:iam::12345678(security account):mfa/iy
2. Get ARN of the prod and stage account role
Prod:
role_arn=arn:aws:iam::13232322(prod):role/allow-admin-access-from-securityaccount
Stage:
role_arn=arn:aws:iam::55455454(stage):role/allow-admin-access-from-securityaccount
Now it is time to create two more profile in ~/.aws/config
Here is the final part of the file. You need to use source_profile parameter in security profile to include mfa_serial for all referenced profile. Before we are using source_profile in other profiles that references to the main account profile(security account in this case) Check https://github.com/99designs/aws-vault/blob/master/USAGE.md#gotchas-with-mfa-config for the details.
[profile security]
region=eu-west-1
mfa_serial=arn:aws:iam::12345678(security account):mfa/iy
source_profile=security #yes it references to itself)[profile stage]
include_profile=security
role_arn=arn:aws:iam::55455454(stage):role/allow-admin-access-from-securityaccount[profile prod]
include_profile=security
role_arn=arn:aws:iam::13232322(prod):role/allow-admin-access-from-securityaccount
Test
We need to pass --prompt ykman parameter to aws-vault to use Yubikey.
Insert your Yubikey into a USB port and run the following command to get instances from prod account. Once you touched your Yubikey, MacOS will ask for credentials to access keychain.
$ aws-vault exec --prompt ykman prod -- aws ec2 describe-instances
Touch your YubiKey...{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0d3e6df867a90103b",
"InstanceId": "i-06ccc5ab3424445",
MFA for AWS Console Access
Before we were configuring Yubikey in AWS Console as a U2F device. But we switched to Virtual MFA to be able to use Yubikey in aws-vault. In this case you need to create token with ykman to login AWS Console
$ ykman oath code arn:aws:iam::12345678(replace with security account id):mfa/iyTouch your YubiKey...arn:aws:iam::12345678:mfa/iy 755948
Ismail YENIGUL
DevOps & DevSecOps
