When running aws-vault, you may be prompted to enter your keychain (laptop) password with the option to choose "Allow" or "Always Allow". Choose "Always Allow".
-
Log in to AWS for the appropriate account (
aws-account-alias-two) -
If you haven't already, setup your MFA device.
-
Generate access keys for your IAM user and configure the
aws-account-alias-twoprofile using the following commands in your terminal:aws-vault add $AWS_PROFILE Enter Access Key ID: YOUR_ACCESS_KEY_ID Enter Secret Access Key: YOUR_SECRET_ACCESS_KEY -
Then run the following commands:
aws configure --profile $AWS_PROFILE set mfa_serial arn:aws:iam::222222222222:mfa/YOUR_IAM_USER_NAME aws configure --profile $AWS_PROFILE set region us-west-2 aws configure --profile $AWS_PROFILE set output json
-
Test the aws-vault configuration works by issuing the following command
aws sts get-caller-identity. You should get something back like:{ "UserId": "AIDAJ3D1XAR4KVEJDBVUG", "Account": "222222222222", "Arn": "arn:aws:iam::222222222222:user/youruser" } -
Test you are able to access an AWS service by running
aws s3 ls. If you getAn error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied, the vault session is not mfa-ed. You will have to remove your session by runningaws-vault remove -s <account_alias>. Runaws s3 lsagain and you should be prompted to enter an MFA token.