Skip to content

SOLVED: use AWS-VAULT with gopass as backend

A very good tool to manage multiple AWS account, especially with SSO enabled is AWS VAULT. Idea is that a session gets securely stored in a backend and (re-)used until it expires. One downside with he default macos keystore as backend is a manual password entry every time the session renews. This is not only annoying, reduces security but even aligns with my security setup. Luckily pass is supported as backend too. But for the but mature version gopass, the following setup has to be applied:

Given we have a gopass setup with two stores:

~/.password-store (default)
~/.password-store-awsvault (vault)

Then config would look like this

export AWS_VAULT_PASS_CMD=gopass
export AWS_VAULT_PASS_PASSWORD_STORE_DIR=~/.password-store-awsvault

This worked writing, but never reading. I didn’t even see aws-vault list calling gopass at all. Looks like the missing vault folder is a problem and aws-vault does a direct directory inspection of AWS_VAULT_PASS_PASSWORD_STORE_DIR. Fix was to hardcode the AWS_VAULT_PASS_PREFIX into a customised script (see below) and to not set the variable. Strictly spoken vault is not a prefix but the name of the store, so it maked sense:

The dedicated aws-vault-pass script:

#!/usr/bin/env bash

ARGS=( "$@" )

 ## ensure password store has 'git config commit.gpgsign false'

if [ "${ARGS[0]}" == "insert" ]
    # echo "- INSERT ------ ${ARGS[@]} --------" 1>&2
    gopass ${ARGS[@]/sessions/aws-vault\/sessions}
elif [ "${ARGS[0]}" == "show" ]
    # echo "- SHOW --------------" 1>&2
    gopass show --password aws-vault/"${ARGS[1]}"
elif [ "${ARGS[0]}" == "rm" ]
    # echo "- RM --------------" 1>&2
    gopass ${ARGS[@]/sessions/aws-vault\/sessions}

and ensure aws-vault pics it up:

export AWS_VAULT_PASS_CMD=aws-vault-pass


Related isssue:

Original issue and comments