Comments (19)
Key rotation on add makes a lot of sense, and we should absolutely document this feature in the README.
How about a first step of a warning message if a key is older than 30days? I'm bit concerned that automatic rotation might run into permissions issues.
from aws-vault.
A message on use of aws-vault
telling the user that their key is old is a great idea. 30 days seems reasonable, especially when the rotation is so easy to do.
from aws-vault.
I agree key rotation is good. I'm concerned regarding the user experience, though.
Automatically rotating existing keys would probably end badly; there'll be people out there with keys in aws-vault which are also used in production or by other people. Nagging about key age would be a bad experience for the many people that would just ignore the warning forever. I'm also wondering how we know how old a key is. An extra IAM API call before every aws-vault operation? Track it locally and hope it doesn't get out of sync with reality?
As you mention @damonmaria, rotating after initially adding the key is the most critical time; it's been in a web browser / email / Slack / clipboard etc. Since aws-vault add
is already a series of interactive prompts, perhaps adding a question there would be the most useful and least breaking-change way forwards:
$ aws-vault add acme-admin
Enter Access Key ID: AKIAIOSFODNN7EXAMPLE
Enter Secret Access Key: bar
Rotate key? (y/N): y
Key rotation: created AKIAIOSFODNN7ROTATED, deleted AKIAIOSFODNN7EXAMPLE.
To rotate key in future, run `aws-vault rotate acme-admin`
Added credentials to profile "acme-admin" in vault
Going beyond that, instead of "Rotate key?" the question could be "Periodically rotate key?" or "Days between automatic key rotation?" but I think that starts getting more complicated; storing the answer per profile, tracking key age, figuring out where to slip the auto rotation into the various aws-vault commands...
from aws-vault.
I think I agree with @pda. Documenting it in the README and promoting it as best practice is the best first step. Including it in the setup/onboarding both for the important initial rotation and to aid education is a good next one.
After those two steps the risk/reward on building rotation warnings becomes less clear cut. It might be worth deferring a decision on the rotation logic.
from aws-vault.
I agree with @pda and @joho on this. Either auto-rotation or being bugged with a message to rotate should be opt-in. I suggested daily auto rotation for all keys because it would be easier to implement, but while it would be useful to me it would probably be a bit niche.
Adding a question and more info when enrolling a key is a fine place as it's fairly rare process. I like the example console from @pda above but would suggest explaining that rotation only works if this is in the only place the key is being stored / used. And maybe that warning should come with aws-vault rotate
as well?
A nice step further during enrollment would be to offer for the user to specify a time period to be bugged about rotation (or not at all). But I understand the reluctance due to the required implementation hurdles there.
from aws-vault.
I think there is potentially a middle ground. What if we prompted the user during add whether they'd like to rotate, and then whether they wanted to automatically rotate it in future? That way we know the key comes with permissions for IAM and that it's one they don't mind rotating.
$ aws-vault add acme-admin
Enter Access Key ID: AKIAIOSFODNN7EXAMPLE
Enter Secret Access Key: bar
Rotate key? (y/N): y
Key rotation: created AKIAIOSFODNN7ROTATED, deleted AKIAIOSFODNN7EXAMPLE.
Enable automatic key rotation every 24 hours? (y|N): n
To rotate key in future, run `aws-vault rotate acme-admin`
Added credentials to profile "acme-admin" in vault ✅
from aws-vault.
Also would be great to have aws-vault rotate --all
be a thing.
from aws-vault.
@pda btw, that approach would also let us store some metadata in the keychain, so it wouldn't require AWS queries to determine if the key was older.
from aws-vault.
Hi guys,
I installed your tool and I'm playing a bit with it. I have a couple of questions:
-
Is the schedule key rotation available now? I've tried to add a new profile and it doesn't ask me to schedule the key rotation every 24 hours or to add a custom time to rotate the keys automatically.
-
I've tried to rotate the key manually and it works but why is it not updating the aws credentials file? If it doesn't update that file, it means that I've to do it manually every time otherwise I can't use the aws cli or some aws services which requires the new keys.
Thanks in advance for your help!
from aws-vault.
@zar777 there should be no credentials in any file
that's the all point of aws-vault, is to have it in an encrypted store, not as clear text.
you are missunderstanding how to use this tool
from aws-vault.
@zar777 there should be no credentials in any file
that's the all point of aws-vault, is to have it in an encrypted store, not as clear text.you are missunderstanding how to use this tool
Ok, thanks for your quick reply.
Anyway, my two questions are still valid(I'm gonna modify my second question, given your answer):
-
Is the schedule key rotation available now? I've tried to add a new profile and it doesn't ask me to schedule the key rotation every 24 hours or to add a custom time to rotate the keys automatically.
-
How the aws cli or other aws services which point to the **credentials ** file can read the encrypted stored keys from the AWS-VAULT?
Thanks a lot.
from aws-vault.
@zar777 aws-vault exec PROFILE -- aws-cli WHATEVER
from aws-vault.
Thanks a lot @FernandoMiguel ! Do you know if the automatic keys rotation is available now?
from aws-vault.
@zar777 i have no idea... just reading the ticket, just like you
from aws-vault.
Thanks a lot @FernandoMiguel ! Really kind!
from aws-vault.
@zar777 Automatic key rotation would not be possible unless aws-vault runs as a service or it checks whenever the aws-vault commands are executed and then auto-rotates. Currently it's not available.
from aws-vault.
Thanks @frezbo !
from aws-vault.
Any reference to Automatic rotation is making a pretty significant assumption that (a) the user has the appropriate IAM permissions to allow this, and (b) the user has control over their IAM permissions. These are not guaranteed, and cannot be assumed.
from aws-vault.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from aws-vault.
Related Issues (20)
- aws-vault ec2server cannot utilize an instance of aws-vault proxy that is already running on windows HOT 1
- aws-vault not working with eksctl to update the add-ons of AWS EKS cluster HOT 1
- AppleScript Error Message: variable not defined HOT 1
- mfa_process not working on Windows HOT 1
- [Bug] aws-vault wedges on 'dbus-launch', won't even run `aws-vault --help` or `aws-vault --version` HOT 2
- Usage with MongoDB Compass HOT 3
- Configure aws-vault to cache role tokens HOT 2
- Embedding aws-vault into a golang-written cli HOT 1
- Sponsorship HOT 1
- Unable to find steps to download for Linux ARM Machines HOT 2
- MFA does not seem to be working when using the login function HOT 2
- Can't use --prompt=terminal with --ec2-server on Linux HOT 2
- ECS Server URI needs to include the `get-credentials` path to support AWS SDK Libraries HOT 1
- Unable to decrypt credentials file when using pass backend HOT 4
- Docs out of date for latest version wrt to ykman HOT 1
- No build since March
- Feature: import from `~/.aws/credentials`
- Error when executing any AWS Vault Command on 7.2.0, in WSL Ubuntu on Windows 11 HOT 1
- mfa_process does not seem to be working with Windows
- Importing aws-vault as a library?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-vault.