I started using aws-vault recently and I'm liking it a lot. Previously I used https://github.com/globality-corp/botoenv. They have a really simple feature that I think would benefit aws-vault users that like having their environment variables set properly. Please give credit to them if it inspires you to do something similar.
botoenv --profile myprofile will echo a bunch export AWS_ALLTHETHINGS lines, and they suggest you execute it like so: $(botoenv --profile myprofile) in order to set the standard awscli environment variables that most/all AWS-integrated utilities can then use.
So in summary I suggest adding an "environment" function (I can't think of a better word), i.e. aws-vault environment [<flags>] <profile> that spits this out:
export AWS_DEFAULT_REGION=us-east-1
export AWS_SESSION_TOKEN=MyToKeN
export AWS_SECRET_ACCESS_KEY=MySecReTKeY
...and so on...
And this is how I would personally use it for example:
bash-3.2$ $(aws-vault environment myprofile)
bash-3.2$ aws s3 ls
mybucket
bash-3.2$ $(aws-vault environment development)
bash-3.2$ aws s3 ls
mydevelopmentbucket
Here is another way to achieve the same thing. It's uglier than my suggestion and you have to go to the beginning of the line to change your profile, if that bothers you
aws-vault exec myprofile -- env | grep ^AWS_ | while read line; do echo export "$line"; done
Glad you are enjoying the tool @seanscottking! aws-vault is a later iteration of https://github.com/pda/aws-keychain which used exactly that approach (3-4 years before botoenv).
Our take is that it's not a good approach from a security perspective because it encourages long-lived shells with credentials in them. If you really want a long lived shell, you can use aws-vault exec myprofile and it will create a subshell for you. My take is that it's a bad habit to get into, you want your credentials as ephemeral and short-lived as possible! Get into the habit of aws-vault exec myprofile -- aws s3 ls, it has the advantage of being really clear what profile you are using for what command and can be copy and pasted cleanly into internal documentation.
I believe you'd need eval "$(aws-vault environment myprofile)" to make your example portable across shell versions btw.
Thank you for your consideration and your detailed response. I'm happy adopting your philosophy of short-lived credentials. I'll get into the habit of prefixing my AWSish utilities with aws-vault exec myprofile.
Thanks again for the awesome app
Most helpful comment
Glad you are enjoying the tool @seanscottking! aws-vault is a later iteration of https://github.com/pda/aws-keychain which used exactly that approach (3-4 years before botoenv).
Our take is that it's not a good approach from a security perspective because it encourages long-lived shells with credentials in them. If you really want a long lived shell, you can use
aws-vault exec myprofileand it will create a subshell for you. My take is that it's a bad habit to get into, you want your credentials as ephemeral and short-lived as possible! Get into the habit ofaws-vault exec myprofile -- aws s3 ls, it has the advantage of being really clear what profile you are using for what command and can be copy and pasted cleanly into internal documentation.I believe you'd need
eval "$(aws-vault environment myprofile)"to make your example portable across shell versions btw.