Tired of using a password for aws-vault? Want to use that lovely touch pad on your Yubikey? Here is how! (Shamelessly borrowed from this comment by Frederico Araujo). Note, this is not the same as configuring your terminal to use a Yubikey setup to be used as TOTP for AWS-instead of an app!
NOTE: These steps are for use on macOS and should be similar for Linux
-
Remove existing credential from AWS Vault Run only if you already have it setup before:
aws-vault remove myprofile -
set in your bash/fish/zsh env file
AWS_VAULT_BACKEND="pass" -
Log into the AWS Console and remove the previous key for your user and add a new one (good habit to get into!)
-
Setup pass
brew install pass pass init "your-gpg-id"You can get the GPG id from your yubikey with this command:
gpg --card-statusyour ID is the one after sec>. example: 16DFB8F9BCXXXXXX
sec> rsa4096/16DFB8F9BCXXXXXXthen you do pass init 16DFB8F9BCXXXXXX based on the example above
-
Setup AWS-Vault
aws-vault add myprofileIt should use the
passbackend by default if you have set your env properly. Alternatively, you can confirm that it was added using pass by including the flagaws-vault add myprofile --passNow you can just touch the yubikey when you call aws-vault (if you have touch required in your Yubikey settings).