aws-vaultは ~/.aws/credentialsを必要としていませんが、awscli単体で動かせるよう設定しています。
Installing
awscli
$ aws --version
aws-cli/2.0.28 Python/3.8.3 Darwin/19.5.0 botocore/2.0.0dev32
aws-vault
99designs/aws-vault#installing (SSOに対応するにはv6以上が必要です)
$ aws-vault --version
v6.0.0-beta5
cask 'aws-vault-beta' do
version '6.0.0-beta5'
sha256 '9f5d1ff8e38cdf86d0a36c983370a908e672373fb75af53d2f4cecdb49830a02'
url "https://github.com/99designs/aws-vault/releases/download/v#{version}/aws-vault-darwin-amd64.dmg"
name 'aws-vault-beta'
homepage 'https://github.com/99designs/aws-vault'
binary 'aws-vault'
end
IAM User
| Role未使用 | Role使用 | |
|---|---|---|
| MFA Serial未使用 | 1.1 | 1.2 |
| MFA Serial使用 | 1.3 | 1.4 |
設定
awscli
$ aws configure --profile user1
...
aws-vault
$ aws-vault add user1
...
1.1 一般的な使用
# ~/.aws/config
[profile user1]
awscli
$ AWS_PROFILE=user1 aws s3 ls
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
aws-vault
$ aws-vault exec user1 -- aws s3 ls
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
1.2 IAM Roleを使用
# ~/.aws/config
[profile user1]
[profile poweruser]
role_arn = arn:aws:iam::123456789012:role/power-access
source_profile = user1
awscli
$ AWS_PROFILE=poweruser aws s3 ls
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
aws-vault
$ aws-vault exec poweruser -- aws s3 ls
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
1.3 MFA serialだけを使用した設定
# ~/.aws/config
[profile user1]
mfa_serial = arn:aws:iam::123456789012:mfa/user1
awscli
$ AWS_PROFILE=user1 aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
session tokenを取得・設定が必要
https://aws.amazon.com/jp/premiumsupport/knowledge-center/authenticate-mfa-cli/
aws-vault
$ aws-vault exec user1 -- aws s3 ls
Enter token for arn:aws:iam::123456789012:mfa/user1:
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
1.4 IAM RoleとMFA serialを使用した設定
# ~/.aws/config
[profile user1]
[profile poweruser]
mfa_serial = arn:aws:iam::123456789012:mfa/user1
role_arn = arn:aws:iam::123456789012:role/power-access
source_profile = user1
awscli
$ AWS_PROFILE=user1 aws s3 ls
Enter token for arn:aws:iam::123456789012:mfa/user1:
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
aws-vault
$ aws-vault exec user1 -- aws s3 ls
Enter token for arn:aws:iam::123456789012:mfa/user1:
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
SSO User
設定
$ aws configure sso
...
# ~/.aws/config
[profile Administrator-123456789012]
sso_start_url=https://aws-sso-portal.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=AWSAdministratorAccess
awscli
$ AWS_PROFILE=Administrator-123456789012 aws sso login
$ AWS_PROFILE=Administrator-123456789012 aws s3 ls
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
aws-vault
$ aws-vault exec Administrator-123456789012 -- aws s3 ls
Opening the SSO authorization page in your default browser (use Ctrl-C to abort)
2020-05-29 12:03:57 aws-sam-cli-managed-default-samclisourcebucket-xxxxxx
...
参考
https://docs.aws.amazon.com/ja_jp/cli/latest/userguide/cli-configure-role.html
https://docs.aws.amazon.com/ja_jp/cli/latest/userguide/cli-configure-sso.html
https://aws.amazon.com/jp/premiumsupport/knowledge-center/authenticate-mfa-cli/