What does HackerNews think of aws-vault?

A vault for securely storing and accessing AWS credentials in development environments

Language: Go

#16 in Amazon Web Services
#74 in Command line interface
Ask HN: Secure and simple way for secret/credential management in a startup? | Mar 2023
Adding to existing suggestions.

- About 5, https://github.com/99designs/aws-vault is super handy to keep AWS credentials encrypted.

- Use full-disk encryption as a team policy.

- About 7, it is likely that this is solved by having preview environments so that developers don't need to manage infrastructure manually.

- About 8, 1password shared vault works nicely for us.

LastPass says DevOps engineer’s hacked computer led to security breach in 2022 | Feb 2023
Expand Context ↕
aws-vault[0] does this, but only for aws creds

0 - https://github.com/99designs/aws-vault
LastPass says DevOps engineer’s hacked computer led to security breach in 2022 | Feb 2023
Expand Context ↕
Nice! Do I understand this correctly?

You use aws-vault(https://github.com/99designs/aws-vault) and configure it with IAM and MFA with YubiKeys. You configure e.g. the profile jonsmith.

When you run

aws-vault exec jonsmith -- aws s3 ls

it will ask you, e.g. every hour to confirm with YubiKeys and cache the key for one hour. After that the temporary keys expire. Can you also store keys different from AWS?
Ask HN: Why most CLIs are not using keyring? | Feb 2023
Expand Context ↕
> For example https://github.com/99designs/aws-vault/ supports one-off commands and shell sessions with pre-populated tokens.

I came to recommend aws-vault, it is pretty handy to not store aws keys in plain text.