How to run aws-vault on WSL2 Ubuntu 20.04

wsl2-aws-vault.md

I'm glad to see that I'm not the only one who had issues with it 😄 This is how I'm using aws-vault in WSL2 and Ubuntu 20.04

Short version

# All the commands are executed in a WSL2 terminal

# Download
AWS_VAULT_VERSION="v6.3.1" && \
wget -O aws-vault "https://github.com/99designs/aws-vault/releases/download/${AWS_VAULT_VERSION}/aws-vault-linux-amd64"

# Install
sudo mv aws-vault /usr/local/bin/ && \
sudo chmod +x /usr/local/bin/aws-vault

# Verify
aws-vault --version

# Output:
# v6.3.1

# Install the pass backend and update gnupg, which encrypts passwords
sudo apt-get update && sudo apt-get install -y pass gnupg

# Make sure your terminal windows is large enough
# Generate a key with gpg (gnupg)
gpg --gen-key
# Follow the prompts ...

# Create a storage key in pass from the previously generated public (pub) key
MY_PUBLIC_KEY="844E426A53A64C2A916CBD1F522014D5FDBF6E3D"
pass init "$MY_PUBLIC_KEY"

# All set, let's test

# Create an aws-vault profile
MY_PROFILE_NAME="staging-admin"
aws-vault add "$MY_PROFILE_NAME"

# Invoke some command with the AWS CLI using the previously created profile
aws-vault exec staging-admin -- aws s3 ls
# outputs a list of buckets if any

Long Version

Expand/Collapse

All the commands are executed in WSL2.

Download and "install" aws-vault

# Download
AWS_VAULT_VERSION="v6.3.1" && \
wget -O aws-vault "https://github.com/99designs/aws-vault/releases/download/${AWS_VAULT_VERSION}/aws-vault-linux-amd64"

# Install
sudo mv aws-vault /usr/local/bin/ && \
sudo chmod +x /usr/local/bin/aws-vault

# Verify
aws-vault --version

# Output:
# v6.3.1

Install the pass backend for aws-vault. This is where we'll store the encrypted AWS credentials. We also need gnupg (gpg), which is the encryption tool that pass uses to encrypt passwords. gpg is shipped with Ubuntu, but it's best to keep it updated, so I added it to the installation process.

sudo apt-get update && sudo apt-get install -y pass gnupg

Create a storage key with gpg for the pass backend; that key is used for encrypting passwords.

IMPORTANT: Make sure your terminal window is large enough; otherwise, you won't be prompted to set a passphrase, and the whole process will fail.

gpg --gen-key
# Follow the prompts ...

Valid output

public and secret key created and signed.

pub   rsa3072 2021-04-22 [SC] [expires: 2023-04-22]
      844E426A53A64C2A916CBD1F522014D5FDBF6E3D
uid                      Meir Gabay <willy@wonka.com>
sub   rsa3072 2021-04-22 [E] [expires: 2023-04-22]

Initialize a "key-store" for aws-vault with pass, and instruct pass to use the previously created public key to encrypt aws-vault credentials.

NOTE: A public key is used for encryption, "anyone" can have it; for decryption, you need a private/secret key—this why it's so important to keep the private key safe.

pass init "844E426A53A64C2A916CBD1F522014D5FDBF6E3D"
# You should be prompted to insert the passphrase that was set during the `gpg --gen-key` process

Valid output

Password store initialized for 844E426A53A64C2A916CBD1F522014D5FDBF6E3D
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2023-04-22
staging-admin: reencrypting to 24552E67E0372C6C

Luckily, the default "vaulting backend" for Linux is pass, so we can simply add a profile.

aws-vault add staging-admin
Enter Access Key ID: AKIAABCDEFGH12345678
Enter Secret Access Key: 
Added credentials to profile "staging-admin" in vault

Verify

aws-vault exec staging-admin -- aws s3 ls
# buckets list ...

Thank you. This worked perfectly for me.

Thank you for documenting the solution so concisely.