- Matt's Memos
- Posts
- AWS temporary credentials access for teams and organizations
AWS temporary credentials access for teams and organizations
Hot Take Alert
Heya,
Here’s a hot take regarding AWS temporary credentials access for teams and organizations.
aws-vault
is definitely a project to avoid nowadays. In the past, I spent lots and lots of time using and evangelizing it, but not now.
It has definitely dropped off in terms of support, but that’s not the biggest problem. Generally aws-vault
is very ~/.aws/config
file oriented.
I've found that to be an increasingly frustrating way to manage AWS roles, users, SSO, and assumptions when you're supporting an entire team or, worse, an organization.
Now, aws-vault
works great on an individual level when people have knowledge of the config file format and what is going on with role assumptions.
However, a lot of application engineers don't understand these, don’t want to, and shouldn’t have to.
Then you end up implementing magic to help them avoid that complexity.
Other options:
Granted seems well liked, but I haven't checked it out.
We use Leapp.cloud with all of our customers and love it for multi-cloud / multi-org temporary creds access.
Happy temporary credentialing!
Matt
PS On a different note, check out Matt Gowie talking a few months ago on Terraform, the Hashicorp relicensing, and platform engineering.