Alternatives
There are many great existing solutions out there that solve similar problems and I've tried to learn from them as much as I can. This tool that I've built is definitely not better or more feature-rich than for example 99designs/aws-vault in many scenarios as it has a lot more features, more contributors and been around some time. Instead vegas-credentials aims to "one thing well": See Design Principles.
The comparison below focuses on the specific use case this tool tries to solve (i.e. providing a nice UX for assuming a role with MFA using credential_process to support as many AWS tools as possible without having to use wrapper scripts).
| Feature/Info | aripalo/vegas-credentials | 99designs/aws-vault | broamski/aws-mfa | meeuw/aws-credential-process |
|---|---|---|---|---|
| Github Stats |   |   |   |   |
credential_process with MFA + Assume Role | ✅ | ❌ [*2] | ❌ [*4] | ✅ |
| Automatic Temporary Session Credential Refresh | ✅ | ❌ [*3] | ❌ [*5] | ✅ |
| Yubikey | ✅ ✅ [*1] | ✅ [*1] | ❌ [*6] | ✅ [*10] |
| Cache Encryption | ✅ | ✅ | ❌ [*7] | ✅ |
| Cache Invalidation on config change | ✅ | ✅ ? | ✅ [*8] | ✅ |
| Cached Performance | ⚡️ <100ms[*11] | ⚡️ <50ms | ⚡️ [*9] | 🐢>400ms[*11] |
| Comprehensively Unit Tested | ✅ | ? | ❌ | ✅ |
| Installation methods | brew, scoop | brew, port, choco, scoop, pacman, pkg, zypper, nix-env, asdf | pip | brew, pip |
Please, correct me if I'm wrong above or there's any other good alternatives!
99designs/aws-vault
- Yubikey support in
99designs/aws-vaultis not perfect:- Using multiple Yubikeys is cumbersome due to having to pass in Yubikey device serial as environment variable for each command – vs. this tool allows setting device serial via configuration per profile (no need to remember the serial for each Yubikey).
- Uses deprecated
ykmancommands. - See also point 2 about
credential_process, assumed roles and Yubikeys.
- Does not seem to play well with
credential_process:At least I haven't figured out how to succesfully configure it to use
credential_process, assume a role, use Yubikey for MFA and to provide temporary session credentials.They themselves claim that “
credential_processis designed for retrieving master credentials” - which is NOT true since this tool does work with temporary credentials viacredential_processjust fine and even the AWS docs oncredential_processshowSessionTokenandExpirationon the expected output from the credentials program.There's further indication that
99designs/aws-vaultis not designed forcredential_process:Using credentials_process isn't the way I use aws-vault, it was a contributed addition, so feels like we should emphasise this is not the recommended path.
– Michael Tibben, VP Technology, 99designs
- This pretty much relates to point 1: For AWS tools to automatically request refreshed credentials, the credentials need to be provided via either the multiple standard methods or via
credential_process.
broamski/aws-mfa
- Works differently by writing temporary session credentials into
~/.aws/credentials, so therefore nocredential_processsupport at all.
- If temporary session credentials written into
~/.aws/credentialsbybroamski/aws-mfaare expired, AWS tools will fail and you must invokeaws-mfacommand manually to fetch new session credentials. There is no (automatic) way for AWS tools to triggeraws-mfacommand.
- You may use Yubikey, but it requires you to manually copy-paste the value from
ykmanor Yubikey Manager GUI. No "touch integration".
- Temporary session credentials are written in plaintext into
~/aws/credentials. Besides being available as plaintext, it pollutes the credentials file.
- Configuration is only provided via flags to
aws-mfaCLI command, so each time you executeaws-mfait will use the flags provided. But, the gotcha is that again you need to executeaws-mfamanually always.
- As temporary session credentials (or "short-term" as
aws-mfacalls them) are stored as plaintext into~/aws/credentials, there is no delay since AWS tools can directly read them from that file.
meeuw/aws-credential-process
- Performance
Hyperfine benchmark for retrieving cached temporary session credentials:
TODO: update