AWS
CLI Credentials
Log into the AWS console and click the “My Security Credentials” menu item in the top nav (underneath your account name.)
Click the “Create access key” button and then leave this screen open until you get to the next step where we will use these credentials.
Switching Roles
Please follow the instructions found here to switch to the sandbox and other Mobile Posse accounts.
If you want use the CLI with any of the secondary accounts you will need to create a user for yourself under each account you wish to use with the CLI.
Once you have followed the instructions above to switch accounts, navigate to the Identity and Access Management (IAM) page. The link can also be found in the Sevices area.
- Click the
Userslink in the left navigation bar and then click theAdd Userbutton. - Enter your username. Use the same username as your main AWS account.
- Select
Programatic accessto enable CLI authentication and then clickNext. - Select the
developersgroup and then clickNext. - Click
Nextto skip the Add tags section. - Click
Create user.
You are then presented with your Access key ID and Secret key. Keep this window open and proceed with the AWS Vault setup.
AWS Vault
AWS Vault allows you to securely store multiple AWS credentials for different accounts and move back and forth easily between those accounts.
Installation
Use Homebrew to install AWS Vault:
brew cask install https://raw.githubusercontent.com/Homebrew/homebrew-cask/7e805ba6d2a4899b56ddf60174b54b16863fb1d3/Casks/aws-vault.rb
aws-vault so the above command installs a specific version that is known to work.
Configuration
Now we’ll create a profile and add the AWS credentials for your account.
aws-vault add sandbox
Enter the credentials you copied from the AWS console
If this is your first time using aws-vault it will create a secure keychain to store the credentials. Choose a password and hit “OK”
Use your editor to edit the following file: ~/.aws/config
If this is your first AWS profile it will just be a single line:
[profile sandbox]
We’re going to add several lines to this file so that it reads as follows:
[profile sandbox]
region=us-east-1
[profile mpsandbox]
source_profile=sandbox
region=us-east-1
mfa_serial=arn:aws:iam::185354281374:mfa/sean.schofield
sean.schofield and use the correct AWS account number which may will not be 185354281374 if you are using an account other than mpmobi-sandbox.
The following is a complete list of AWS accounts and account numbers:
| Alias | Account Number | Description |
|---|---|---|
| mplive | 087787827704 | Production account for POC infrastrcture (Neptune) |
| mobileposse | 112309987251 | Production account for legacy infrastructure (Tobogo, Caledonia, etc.) |
| mpmobi | 70632698329 | Production account for current infrastructure (Pistachio, Jarvis, etc.) |
| mpmobi-sandbox | 185354281374 | Sandbox account for current infrastructure (Pistachio playground) |
| mpmobi-dev | 728944228051 | Development account for current infrastructure (colored envs.) |
| mpmobi-qa | 557014525336 | QA account for current infrastructure (out of commission) |
| mpmobi-staging | 514704287067 | Staging account for current infrastructure (out of commission) |
Usage
Now let’s test …
aws-vault exec mpsandbox
Enter your keychain password (sometimes you need to enter twice). You should then be prompted to enter your temporary MFA token.
Once you enter the token you’re all set.
exit to exit the shell and aws-vault exec again to resume with new temporary credentials.
Token Expiration
After a few hours your AWS credentials used inside the aws-vault shell will expire. When you get a message indicating that your token has expired you simply need to exit the shell and restart it again (you will need to enter a new MFA token value from your phone.)
exit
aws-vault exec mpsandbox