Solvedaws vault Using aws-vault with WSL

Me and my colleagues recently started using aws-vault and love it ๐Ÿ˜ƒ However, as my development environment is in WSL, I wasn't able to use the wincred backend for aws-vault at first. I'm opening this issue to find out whether there are others like me, wanting to use aws-vault from WSL, and to ask how are you using aws-vault with WSL? Would you also like to see some official support for using the wincred backend "natively" with aws-vault in WSL?

Here's what I did to get it to work:
I tried running the aws-vault.exe binary from WSL and that works for all of the sub commands that I've tried but one. It doesn't work for aws-vault exec since the command I wish to exec is not available from the executables point of view (in Windows).

I want to share with you a Python script I wrote together with a colleague. To use it you would put in on your $PATH in WSL along with the aws-vault.exe Windows binary (instead of the real aws-vault Linux binary) and call it as it it were aws-vault. If called with the "exec" sub command it will use aws-vault.exe (with support for wincred backend) to get the environment with AWS credentials and then execute the original command in WSL using that environment. For all other sub commands it will simply forward the sub command and all other arguments to aws-vault.exe.

There are some limitations in how it accepts command line arguments. It works if all options (--backend, --prompt etc.) are put before "exec". It might and probably will crash otherwise.

#! /usr/bin/python3.7

import os
import subprocess
import sys

EXEC = "exec"
DOUBLE_DASH = "--"
AWS_VAULT_EXE = "aws-vault.exe"  # Has to be on $PATH in WSL
CMD_EXE = "cmd.exe"

# Ensure AWS Vault environment variables are shared between WSL and Windows
AWS_VAULT_ENVIRONMENT_VARIABLES = (k for k in os.environ.keys() if k.startswith("AWS_VAULT_"))
WSLENV = os.environ.get("WSLENV")
os.environ["WSLENV"] = ":".join(
    s for s in [WSLENV, *AWS_VAULT_ENVIRONMENT_VARIABLES] if s
)

if EXEC in sys.argv:
    exec_index = sys.argv.index(EXEC)
    double_dash_index = (
        sys.argv.index(DOUBLE_DASH) if DOUBLE_DASH in sys.argv else exec_index + 2
    )

    # Get AWS_* environment variables using the AWS Vault Windows binary
    win_args = sys.argv[exec_index:double_dash_index]
    win_process = subprocess.run(
        [AWS_VAULT_EXE, *win_args, CMD_EXE, "/C", "set", "AWS_"],
        stdout=subprocess.PIPE,
        cwd="/mnt/c",
        encoding="utf8",
    )
    if win_process.returncode != 0:
        exit(win_process.returncode)
    win_env = win_process.stdout.strip()

    # Make a dict out of the environment string
    wsl_env = {}
    for line in win_env.splitlines():
        k, *v = line.split("=")
        wsl_env[k] = "".join(v)

    # Exec command with arguments as is with AWS_* environment variables set
    wsl_args = sys.argv[double_dash_index + 1 :]
    os.execlpe(wsl_args[0], *wsl_args, {**os.environ, **wsl_env})
else:
    # Exec AWS Vault Windows binary with all arguments as is
    os.execlp(AWS_VAULT_EXE, *sys.argv)
9 Answers

โœ”๏ธAccepted Answer

I'm glad to see that I'm not the only one who had issues with it ๐Ÿ˜„
This is how I'm using aws-vault in WSL2 and Ubuntu 20.04

Short version

# All the commands are executed in a WSL2 terminal

# Download
AWS_VAULT_VERSION="v6.3.1" && \
wget -O aws-vault "https://github.com/99designs/aws-vault/releases/download/${AWS_VAULT_VERSION}/aws-vault-linux-amd64"

# Install
sudo mv aws-vault /usr/local/bin/ && \
sudo chmod +x /usr/local/bin/aws-vault

# Verify
aws-vault --version

# Output:
# v6.3.1

# Install the pass backend and update gnupg, which encrypts passwords
sudo apt-get update && sudo apt-get install -y pass gnupg

# Make sure your terminal windows is large enough
# Generate a key with gpg (gnupg)
gpg --gen-key
# Follow the prompts ...

# Create a storage key in pass from the previously generated public (pub) key
MY_PUBLIC_KEY="844E426A53A64C2A916CBD1F522014D5FDBF6E3D"
pass init "$MY_PUBLIC_KEY"

# All set, let's test

# Create an aws-vault profile
MY_PROFILE_NAME="staging-admin"
aws-vault add "$MY_PROFILE_NAME"

# Invoke some command with the AWS CLI using the previously created profile
aws-vault exec staging-admin -- aws s3 ls
# outputs a list of buckets if any

Long Version

Expand/Collapse

All the commands are executed in WSL2.

Download and "install" aws-vault

# Download
AWS_VAULT_VERSION="v6.3.1" && \
wget -O aws-vault "https://github.com/99designs/aws-vault/releases/download/${AWS_VAULT_VERSION}/aws-vault-linux-amd64"

# Install
sudo mv aws-vault /usr/local/bin/ && \
sudo chmod +x /usr/local/bin/aws-vault

# Verify
aws-vault --version

# Output:
# v6.3.1

Install the pass backend for aws-vault. This is where we'll store the encrypted AWS credentials. We also need gnupg (gpg), which is the encryption tool that pass uses to encrypt passwords. gpg is shipped with Ubuntu, but it's best to keep it updated, so I added it to the installation process.

sudo apt-get update && sudo apt-get install -y pass gnupg

Create a storage key with gpg for the pass backend; that key is used for encrypting passwords.

IMPORTANT: Make sure your terminal window is large enough; otherwise, you won't be prompted to set a passphrase, and the whole process will fail.

gpg --gen-key
# Follow the prompts ...

Valid output

public and secret key created and signed.

pub   rsa3072 2021-04-22 [SC] [expires: 2023-04-22]
      844E426A53A64C2A916CBD1F522014D5FDBF6E3D
uid                      Meir Gabay <willy@wonka.com>
sub   rsa3072 2021-04-22 [E] [expires: 2023-04-22]

Initialize a "key-store" for aws-vault with pass, and instruct pass to use the previously created public key to encrypt aws-vault credentials.

NOTE: A public key is used for encryption, "anyone" can have it; for decryption, you need a private/secret keyโ€”this why it's so important to keep the private key safe.

pass init "844E426A53A64C2A916CBD1F522014D5FDBF6E3D"
# You should be prompted to insert the passphrase that was set during the `gpg --gen-key` process

Valid output

Password store initialized for 844E426A53A64C2A916CBD1F522014D5FDBF6E3D
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2023-04-22
staging-admin: reencrypting to 24552E67E0372C6C

Luckily, the default "vaulting backend" for Linux is pass, so we can simply add a profile.

aws-vault add staging-admin
Enter Access Key ID: AKIAABCDEFGH12345678
Enter Secret Access Key: 
Added credentials to profile "staging-admin" in vault

Verify

aws-vault exec staging-admin -- aws s3 ls
# buckets list ...

Other Answers:

Thank you @unfor19 . I needed a just a couple more things to get your solution working for me:

export AWS_VAULT_BACKEND=pass
export GPG_TTY="$( tty )"

which I've also added to my ~/.bashrc

Related Issues:

23
aws vault Using aws-vault with WSL
I'm glad to see that I'm not the only one who had issues with it ๐Ÿ˜„ This is how I'm using aws-vault ...
17
aws vault Not working in Mac OS Catalina
Hey folks I'm looking to get the binaries notorized When upgrading to Mac OS Catalina the following ...
14
aws vault "The security token included in the request is invalid"
@plektra if you need access to IAM operations with a session token it should be MFA authenticated It...
11
aws vault Constantly have to re-enter keychain password, part 2
FML Was testing this and accidentally entered rather than tabbed on rm -rf ~/Library/Keychains Le si...
480
aws cli Invalid Syntax Error when running any AWS command.
Leaving this here in case someone comes across this via google like me: I had the same issue with th...
328
amplify js Uncaught ReferenceError: global is not defined in latest Angular 6 RC
Just for reference I have passed through this issue with adding these lines on my index.html head: ...
219
aws cli aws s3api create-bucket throws error for us-east-2
For those of you looking to create a bucket via the CLI run this: aws s3api create-bucket --bucket d...
210
aws sdk js Typescript error: Cannot find name 'Buffer'/'http'/'https'
@pvamshi So I was able to reproduce your issue Hi! First I want to thank you for this SDK ...
171
aws cli aws ssm put-parameter performs an HTTP GET request when the value param is an url
Just kill this 'feature' seriously Even apart from security concerns it certainly violates the princ...
151
serverless How do I enable CORS?
@lakinducker Thanks No problem! I updated your comment with the corresponding markdown and now the i...
136
terragrunt Upgrading to Terraform 0.12: separate configuration file for Terragrunt?
Hi all Hi! I'm one of the engineers at HashiCorp who works on Terraform Core As you might be aware ...
122
amplify cli Many-To-Many
You can implement many to many yourself using two 1-M @connections and a joining @model ...
120
aws cli How to describe instances from all regions?
For people arriving here from Google here's one way to list all your instances across all regions wi...
114
amplify js fetch is not defined
nodejs fix: I'm using amazon-cognito-auth-js with my express app and I'm following the case 1 exampl...
109
terraform aws eks Error: Post "http://localhost/api/v1/namespaces/kube-system/configmaps": dial tcp 127.0.0.1:80: connect: connection refused
this fixed it for me thanks @cidesaasoptics I am started getting this issue: All my code were workin...
106
amplify js Error: No credentials, applicationId or region
I had the same issue (running on the latest Amplify v3) and worked around it by changing the followi...
104
amplify js Is it possible to get cognito user attributes in Lambda/cloud logic ?
I have been looking around for a while I feel the answers here didn't really answer the problem ...
96
sops Cannot decrypt with GPG 2.2.5 and SOPS 3.0.0
The problem suddenly re-occured.. I think it has to do with the gpg-agent For the moment this solved...
93
serverless Error: spawn java ENOENT
Have you tried running sls dynamodb install? This downloads the DynamoDb libs you need. ...
88
serverless Schedule event not created when supplying options
Sorry this was user error and I actually just had the wrong indentation Correct indentation ...
83
amplify cli aws-exports.js is not generated
Even after the third read I find it utterly confusing and I have usability issues too ...
83
amplify js Auth Error: Amplify has not been configured correctly using Nuxt.js
I 'm having the same issue in aws-amplify: ^3.0.11 I found out Auth module didn't load configs of aw...
81
serverless chrome NSS_VersionCheck("3.26") failed
I have done to fix this in Ubuntu 16.04 by reinstalling libnss3 Hello I get the below at runtime whe...
77
kubespray After the certificate expires how use kubespray to renew certificate
@kerOssinas you are right the upgrade-cluster.yml of Kubespray will also rotate the certificates ...
74
terraform aws vpc Terraform 0.12 + vpc module v2.2 (Inappropriate value for attribute "subnet_ids": element 0: string required.)
@sonianara You can always unwrap value between [ and ] to make it like this: I am trying to upgrade ...
70
amplify js How to refresh Cognito tokens
It will refresh if you call the SDK for it e.g. with Auth.currentSession() and it finds an expired t...
69
aws cdk TS - Argument of type 'this' is not assignable to parameter of type 'Construct'
Hi @benswinburne I have a created a simple Stack that creates a VPC with three simple subnets ...
66
serverless Serverless using AWS profiles only half working
You can use AWS Profiles with Severless including IAM cross-account role assumption ...
62
serverless Narrowing the Serverless IAM Deployment Policy
I think I have the serverless deployment policy nailed at this point A bit more testing is in order ...
60
aws cli Can't install / configure aws cli
Interesting It looks like it's failing to parse ~/.aws/config Can you try putting in fake values? He...
59
aws sam cli Error when installing python version on MACOS
Try with --user flag? Description: I got an error when trying to install the new version on MacOS St...
59
aws iam authenticator QUESTION: How to create the k8s users and groups to map to?
I got it to work! For anyone else finding this issue here's what I did In my configmap for aws-iam-a...
57
containers roadmap [EKS] [request]: Remove requirement of public IPs on EKS managed worker nodes
Yea thats the part in your documentation I was surprised by Community Note Please vote on this issue...
57
terraform provider aws Error: "policy" contains an invalid JSON: invalid character '}' looking for beginning of object key string
@JayMaree I think your error is here: I had the same issue which brought me here but mine was just a...
56
amplify cli @auth public/private IAM roles and other Providers
ok my bad was actually quite easy just do : and add a auth provider in my case was IAM ...
55
amplify js Sign up multiple different accounts with the same email
The pre-signup trigger can be used to prevent the new signup from being created when there's an exis...
54
terraform provider aws Creating aws_elasticsearch_domain can't be done due to absence of AWSServiceRoleForAmazonElasticsearchService role
You can just add this ressource before creating your domain: This will create the needed role for ES...
52
amplify js Amplify Console 200 (Rewrite) fails on SPA React (Router) Application
This worked for me source: </^((?!.(css|gif|ico|jpg|js|png|txt|svg|woff|ttf)$).)*$/> target address:...
51
amplify js aws-amplify 0.3.0: "Uncaught ReferenceError: require is not defined" when packaged with webpack
Ok I found something that helped Graphql-js uses .mjs as file extension which caused issues with the...
51
aws cli Code Deploy - Unhandled exception - ZIP does not support timestamps before 1980
eb deploy gave me find -mtime +10950 -print -exec touch {} \; solved the problem. ...
50
aws cli PyYAML requires python-dev dependency
We have had some success here by running Hi It seems the latest release of awscli requires PyYAML as...
50
terraform provider aws Feature Request: WAFv2 Web ACL Resource
@briensherman @shadbi I'm currently busy implementing the resources already did #12119 #12284 and I'...
47
aws cli aws ecr get-login error: argument operation: Invalid choice
If you still want to use cli (maybe for automation) this is the full command according to the offici...
47
aws iam authenticator error: You must be logged in to the server (Unauthorized) -- same IAM user created cluster
You need to map IAM users or roles into the cluster using the aws-auth ConfigMap This is done automa...
46
aws load balancer controller Create option to reuse an existing ALB instead of creating a new ALB per Ingress
I've created another ingress controller that combines multiple ingress resources into a new one => h...
46
serverless Ignore check for unchanged files after failed deployment
Have you tried to use sls deploy --force @tom10271 ? After a failed deployment due to remote (CloudF...
45
amplify js Identity providers authentication against User Pools WITHOUT hosted UI
@martimarkov we find a solution for you to use the customized button to do that ...
45
serverless application model cloudformation deploy CLI exits with return code 255 if stack exists
Adding --no-fail-on-empty-changeset seems to work i.e. allow bash script execution to continue even ...
45
terraform provider aws Support AWS CLI v2 AWS Single Sign-On
Support for AWS Single-Sign On (SSO) cached credentials has been merged and will release with versio...
44
amplify cli jest-haste-map: Haste module naming collision: -> namefunction <-
For React Native 0.6x configure the blacklist in metro.config.js instead of rn-cli.config.js as per ...