aws-vault | securely storing and accessing AWS credentials | Authentication library

1. first aws-vault "GetAuthorizationToken" was caused by an unhealthy, ilformatted ~/.aws/config file. Roles must be specified with the following format--

   [profile xx-xxxx-services-monitoring] role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring source_profile=identity sparent_profile=mfa

   [profile identity]

2. Second part is MFA issue. MFA serial number must match what you configured in your authenticator. (DUO, Authy, Authenticator...) Your ~/.aws/config should have this section--

   [profile mfa] mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxx.xxxx@xxxxx.com

Option #1 - Try removing aws-reserved/sso.amazonaws.com/ from the role_arn (source)

Option #2 - Use aws-iam-authenticator, the official docs provide a thorough example of how to use SSO and kubectl (kubeconfig)

Had the same error after rotating AWS credentials.
Deleted ~/Library/Keychains/aws-vault.keychain-db and executed aws-vault add default which created a new keychain and aws-vault started working again.

If you are on MacOS, you can probably edit the keychain directly.

That seems to be due to the expected format in yaml file for attribute caBundle. I couldn't find a documented schema for it. But, I found an example https://github.com/kubernetes/kubernetes/issues/61171. The caBundle seems to be taking a single line of string which is base64. I have tested this and it works for me.

It should work if you place entire base64 encoded file in one line and put it against caBundle. Refer to the link posted for an example.

It actually doesn't have anything related to development.

While working with Amazon managed services we can take advantage of IAM roles but that doesn't work when you're doing it from our local environment or from some other Cloud VM like accessing a S3 bucket. It comes handy when you're doing a lot of work with AWS CLI or even writing terraform for your environment. It is just for a precaution so we don't expose or IAM credentials to external world (you will receive an abuse notification from Amazon whenever your keys are compromised). There are many other ways to make sure your keys don't get compromised like before pushing your code to a version control use git-secrets to make sure you don't push any sensitive information.