AWS, Installation Notes, Windows

Thoughts on AWS Vault config on Windows

Avatar of author Kees C. Bakker To profile Kees C. Bakker Written by Kees C. Bakker, updated on , 4 minute read.

I've installed and configured AWS Vault in Windows. In this blog I'll show how to setup MFA, automate token rotation, share AWS Vault with Windows Subsystem for Linux (WSL) and how to do an ECR login on Docker.

Setup MFA

First, we'll need to add MFA to our profile. Your MFS device ARN can be retrieve in the following was:

  1. Open IAM users in AWS Console
  2. Search for your user and open it.
  3. Go to the Security credentials tab.
  4. Copy the Identifier from the Multi-factor authentication (MFA) section.

Open up your AWS config file stored at your userprofiel .aws\config and add your MFA serial to your profile. Ctrl+run: code %USERPROFILE%\.aws\config will also work.

[profile my_profile]
mfa_serial=arn:aws:iam::123456789012:mfa/myname

Impersonated accounts

To add the MFA to your impersonated profiles, you can add them like this:

[default]
region=eu-west-1
mfa_serial=arn:aws:iam::123456789012:mfa/myname
credential_process=aws-vault exec my_dev --json

[profile my_dev]
role_arn=arn:aws:iam::987654321012:role/PowerUser
source_profile=my_profile

More on the credential process here.

Add credentials

You'll need to your credentials to the vault, so they can be used. If you forget the credentials, you can use the same steps to reset it.

  1. Open IAM users in AWS Console
  2. Search for your user and open it.
  3. Go to the Security credentials tab.
  4. Click on the Create access key button in the section Access keys
  5. Add your credentials: aws-vault add my_profile and add your access keys.
  6. (Optional) Check if your keys work by querying your identity: aws-vault --debug exec my_profile -- aws sts get-caller-identity
  7. (Optional) Check if you can rotate using: aws-vault rotate my_profile.
  8. (Optional) Make Powershell the default shell: [Environment]::SetEnvironmentVariable("SHELL", "powershell", "User")

Automate token rotation

I hate it when tokens expire: you need to go into your AWS Console to get a new token, which is just too much hassle. So you need to rotate your token, but I always forget. Let's use the Windows Task Scheduler to remind us to rotate the token. It should be triggered every month on the second Wednesday at 9:45. By triggering it on a second Wednesday it will always be triggered on a workday. My token needs to be rotated every 3 months, so technically I can click it away 3 times.

This script will create that task.

$action = New-ScheduledTaskAction `
	-Execute 'powershell.exe' `
	-Argument '-ExecutionPolicy Bypass -command aws-vault rotate my_profile'; `
$trigger = New-ScheduledTaskTrigger `
	-Weekly `
	-DaysOfWeek Wednesday `
	-At 9:45AM -WeeksInterval 1; `
Register-ScheduledTask `
	-TaskName "aws-vault token rotate" `
	-Action $action `
	-Trigger $trigger -User "SYSTEM" `
	-RunLevel Highest -Force;

Share AWS with WSL

I need to execute some bash scripts which uses account impersonation. I don't want to setup AWS Vault again for Windows Subsystem for Linux (WSL), so let's see how we can link AWS Vault using an alias.

AWS Vault, where art thou?

To locate where AWS Vault is installed on your system, you can execute the following in PowerShell:

Get-Command aws-vault

I installed AWS Vault using Chocolatey, so it is located in the directory C:\ProgramData\chocolatey\bin\aws-vault.exe.

Setup aws-vault alias in WSL

When you open up WSL you'll find out that you can actually run Windows applications from your command-line. In my case this works:

/mnt/c/ProgramData/chocolatey/bin/aws-vault.exe --version

So the only thing we need to do is setup an alias to access the Windows application:

  1. Open WSL (using the wsl command or bash).
  2. Execute nano ~/.bash_profile to open (or create) the Bash profile.
  3. Add the path to AWS Vault on a new line:
    alias aws-vault="/mnt/c/ProgramData/chocolatey/bin/aws-vault.exe"
  4. Save (ctrl+x and yes).
  5. Reload the Bash profile: . ~/.bash_profile
  6. Check if it works by doing: aws-vault --version.

ECR login

Why did I need this? Well I want to connect AWS Elastic Container Registry (ECR) to Docker. In order to access the it, I need to impersonate my dev account, and retrieve the login for Docker. My script looks like this:

Powershell 

aws-vault exec my_dev \
aws ecr get-login-password --region eu-west-1 | \
docker login \
  --username AWS \
  --password-stdin 987654321012.dkr.ecr.eu-west-1.amazonaws.com
Bash 

aws-vault exec my_dev \
aws ecr get-login-password --region eu-west-1 | \
docker login \
  --username AWS \
  --password-stdin 987654321012.dkr.ecr.eu-west-1.amazonaws.com

Works like a charm.

Changelog

  • Added sections for ECR login for both powershell and bash.
  • Added notes on how to make Powershell the default shell for AWS Vault.
  • Update AWS Console interface constructions according to what the console now looks like. Switched the section on adding a token around.
  • There is now a script that creates the scheduled task for rotation.
  • Added the (Re)set AWS token section (which is superseded in the latest version of the article by the section on adding a key).
  • Turned the article around a bit and added the Automate Token Rotation.
  • Added the MFA setup. Added PowerShell command for ECR login.
  • Initial article.
expand_less brightness_auto