aws-vault usage tips

aws-vault is a great tool to help with AWS authentication.

Below are some useful tips around it.

macOS: modify lock timeout of aws-vault keychain

By default aws-vault creates a keychain file at ~/Library/Keychains/aws-vault.keychain-db
It sets 5 minutes lock timeout, so you’d have to re-enter keychain password quite often.

To see current setting: security show-keychain-info $KEYCHAIN_FILE

To drop all locking settings: security set-keychain-settings $KEYCHAIN_FILE

To modify timeout setting: security set-keychain-settings -u -t 86400 $KEYCHAIN_FILE

Note: be careful to specify file, if you don’t it will modify the default one, which is usually “login”

Rotating credentials

When your Access / Secret key pairs is about to expire, you can rotate it straight from terminal without the need to login to AWS Console:

aws-vault rotate --no-session <your-email-address>

Note: If your key has already expired this will not work. You will need to manually delete the key from your Security Credentials section on the AWS console, create a new secret / key pair and re-run aws configure with your new key to make it work again.