The best way to pass AWS credentials to your Vagrant machines.

The plugin only supports Linux guests that have iptables installed.

vagrant plugin install vagrant-ec2-metadata

Then add this to your Vagrantfile:

Vagrant.configure("2") do |config|
  [...]

  # Put these lines above other provisioners that need to use the credentials
  config.ec2_metadata.profile = "default"
  config.ec2_metadata.role_arn = "arn:aws:iam::123456789012:role/ReadOnlyRole"
  config.vm.provision "ec2-metadata", run: "always"

  [...]
end

See the examples for more information.

By using this plugin, you can pass through credentials to your VMs without having to copy or hardcode credentials to the VM.

It works by faking an EC2 metadata server, which is the same way an EC2 server with an assigned role retrieves its credentials.

You must run the webserver that serves these requests when you want the VMs to be able to access their credentials. Start it by running:

vagrant ec2-metadata

This plugin provides the following benefits:

• the VM never gets access to a permanent key, the credentials expire after one hour.
• you can use a role, allowing you to easily give the VM the same permissions that your production servers are running, without any changes to the application code.

Other ways of configuring AWS credentials for your VMs are:

• Hardcoding AWS credentials

  • Why it's bad:
    • you run a high risk of accidentally committing the key to a public source code repository.
    • everyone on your team are using the same key, making auditing harder.
    • it's hard to rotate the key.

• Using a synced folder like the following:

  config.vm.synced_folder "#{ENV["HOME"]}/.aws", "/home/ubuntu/.aws/"

  • While much better than hardcoding credentials, this is still not great.
  • Why it's bad:
    • you have to link the folder to every user inside of the VM.
    • the VM gets access to all of your credentials, when it probably only needs a subset.
    • the VM can modify your .aws files.