Using AWS Credentials With role_arn and mfa_serial in AWS Vault

AWS Vault allows you to securely store and access credentials for AWS. AWS Vault stores IAM credentials in your operating systems secure keystore and then generates temporary credentials from those to expose to your shell and applications. It’s designed to be complementary to the aws cli tools, and is aware of your profiles and configuration in ~/.aws/config.

There are various ways to use aws credentials with the aws Java SDK.

However, another way of authenticating yourself to make requests to AWS services, is to use Roles (IAM accounts) combined with MFA (Multi-Factor Authentication).

AWS Vault is great when working with multiple profiles. When we look at the directory ~/.aws/ there are two files, credentials and config.

The config file might look something like this

[default]
region = eu-west-1

[profile project-dev]
region=eu-west-1
role_arn = arn:aws:iam::123456789012:role/developers
mfa_serial=arn:aws:iam::120123456789:mfa/userxyz

You can then use aws-vault exec project-dev  which will ask for your mfa token, and then returns to bash where you can execute AWS commands just as you would do with AWS CLI.

Suppose you have a test which makes a request to a lambda function or inserts data into a Kinesis stream, within a maven project, where you would normally run mvn clean test

Using AWS Vault, you can use  aws-vault exec project-dev mvn clean test and that will start executing the tests.

When Not using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and instead using role_arn and mfa_serial in ~/.aws/config file, in Java, you can use

AmazonKinesis amazonKinesis = AmazonKinesisClientBuilder
              .standard()
              .withCredentials(new EnvironmentVariableCredentialsProvider())
              .build();

Leave a Reply