Using AWS cloudGoat with aws-vault

[mbunde]

Is it possible that when setting the profile in CloudGoat, it can reference profiles created in aws-vault? if this is possible, kindly guide the command structure in linux to achieve the same

[andrew-aiken]

From quickly looking at aws-vault you would need to export your temporary credentials locally.

Something like this also might work, just set the profile to default or whatever aws-vaults uses

aws-vault exec USERNAME -- ./cloudgoat.py create vulnerable_lambda

[mbunde]

it runs perfectly but fails at this during terrafrom plan face

[cloudgoat] terraform init completed with no error code.

Planning failed. Terraform encountered an error while generating this plan.

╷ │ Error: No valid credential sources found │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on provider.tf line 1, in provider "aws": │ 1: provider "aws" { │ │ Please see https://registry.terraform.io/providers/hashicorp/aws │ for more information about providing credentials. │ │ Error: A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and │ "AWS_SECRET_ACCESS_KEY". The Profile is now used instead of the environment variable credentials. │

[andrew-aiken]

Ahh looks like aws-vault does not write to the ~/.aws/credentials What might need to be done it get the temporary credentials and put them in that file so CloudGoat can use the profile from the config file.

Something like this

aws-vault exec USERNAME -- env | grep AWS

vim ~/.aws/credentials
---

[cloudgoat]
aws_access_key_id = ASIA...
aws_secret_access_key = .....
aws_session_token = .........

---

./cloudgoat.py config profile

./cloudgoat.py create vulnerable_lambda