SMS Blog
AWS-Vault vs Granted: A Comprehensive Comparison
In the world of AWS credential management, two tools stand out: AWS-Vault (https://github.com/99designs/aws-vault) and Granted (https://www.granted.dev/). Both offer secure ways to manage AWS credentials, but they each have unique features and approaches. In this blog post, we’ll dive deep into a comparison of these two powerful tools, exploring their strengths, weaknesses, and best use cases.
Storage and Security
When it comes to storing and securing your AWS credentials, both AWS-Vault and Granted take similar approaches.
AWS-Vault
AWS-Vault leverages native OS keystores such as macOS Keychain, Windows Credential Manager, and Linux KWallet or Secret Service. It falls back to an encrypted file when the OS keystore is unavailable. The tool encrypts all stored credentials with a master key and keeps temporary credentials separate from long-term ones. AWS-Vault supports different encryption backends and offers MFA token caching for improved user experience.
Granted
Granted also uses OS keystores with a fallback to an encrypted file. It maintains separate credential caches for different session types and comes with built-in credential rotation capabilities. The tool implements secure storage of temporary session tokens.
SSO Support
Single Sign-On (SSO) support is an area where Granted excels.
AWS-Vault
AWS-Vault offers basic AWS SSO support through credential processes. It requires manual configuration for SSO profiles and has limited SSO session management.
Granted
Granted provides first-class AWS SSO support. It offers automatic discovery of available SSO roles and manages SSO session tokens automatically. The tool supports multiple SSO instances and provides a visual interface for SSO role selection. Granted handles SSO session refresh automatically and integrates with AWS SSO permission sets.
User Interface
The user interface is another area where these tools differ significantly.
AWS-Vault
AWS-Vault offers a pure command-line interface with simple, predictable commands. It requires some command memorization and uses standard output formatting. Example commands include:
aws-vault list aws-vault exec <profile> -- aws s3 ls aws-vault login <profile>
Granted
Granted features an interactive terminal user interface with a visual profile selection menu and an active session overview. The command to run most tasks in granted is “assume”. It offers context-aware suggestions and allows launching the AWS console at a specific service or region. The tool leverages native browser functionality for multiple account access. Example commands include:
assume assume <profile> --exec -- aws s3 ls assume -c <profile> -s <service> assume -c <profile> -r <region>
Cross-Account Access
Both tools support cross-account access, but their implementations differ.
AWS-Vault
AWS-Vault supports role assumption across accounts but requires manual configuration in the AWS config file. It is limited to a maximum of one role chain, and each role assumption requires separate configuration.
Granted
Granted offers native support for role chaining and provides a visual role switching interface. It features automatic role discovery across accounts and maintains role assumption history. The tool includes features like role chain visualization and one-click role switching, as well as cross-account search capabilities.
Session Management
Effective session management is crucial for maintaining security, improving user experience, and optimizing workflow efficiency when working with AWS credentials.
AWS-Vault
AWS-Vault requires manual session cleanup and has a fixed session duration limited to 1 hour. It provides environment variable inheritance for child processes. AWS-Vault provides limited visibility into active sessions. You can list the profiles that have active sessions, but detailed information about session duration or expiry is not readily available.
Granted
Granted offers automatic session cleanup and dynamic session duration. It supports a profile registry where it can be kept in a single location and users or teams can use them locally. The tool allows generation of AWS config files from AWS SSO and supports concurrent sessions. It also features automatic session refresh. It provides a comprehensive overview of active sessions. Users can easily view which sessions are currently active, their remaining duration, and other relevant details.
Performance and Efficiency
Let’s compare the performance and efficiency of both tools:
AWS-Vault
AWS-Vault is lightweight and has fast startup times. It has minimal overhead for credential retrieval and is efficient for quick, single-command operations. It efficiently retrieves credentials from the system’s keychain or the encrypted file store. For subsequent operations within the same session, AWS-Vault can reuse the retrieved credentials, reducing the overhead of repeated authentications.
Granted
Granted may have slightly longer startup times due to additional features. However, it is optimized for extended work sessions with multiple profile switches. The tool implements caching mechanisms for improved performance in subsequent operations.
Customization and Extensibility
Both tools offer various levels of customization:
AWS-Vault
AWS-Vault is configurable through AWS config files, providing a familiar interface for AWS users. This allows for fine-tuning of profiles, regions, and role assumptions directly in the config file. The tool supports custom credential helpers, enabling integration with third-party secret management systems or custom authentication flows.
AWS-Vault’s plugin system, while limited, allows for some extension of its core functionality. Users can create plugins to add new commands or modify existing behaviors. For example, a plugin could be developed to integrate with a company’s internal tools or to add custom logging capabilities. One of AWS-Vault’s strengths is its simplicity, which extends to its customization options. While it may not offer as many built-in extensibility features as Granted, its straightforward approach makes it easier for users to understand and modify its behavior.
Granted
Granted offers extensive configuration options, providing users with a high degree of control over the tool’s behavior. It supports a rich set of command-line flags and configuration files, allowing users to customize everything from session durations to UI preferences. The tool supports custom scripts and hooks, enabling users to automate complex workflows or integrate Granted with other tools in their development ecosystem. For instance, users can create pre-assume and post-assume hooks to perform actions before and after assuming a role, such as setting up VPN connections or updating local configurations. Granted features a more flexible plugin architecture for adding new features. This plugin system allows for deeper integration with AWS services and third-party tools. Users can develop plugins to add new commands, modify existing functionality, or even create entirely new interfaces for interacting with AWS resources. One of Granted’s unique features is its ability to generate and manage AWS config files dynamically. This allows for programmatic creation and updating of profiles based on organizational policies or changes in the AWS environment.
Community and Support
The level of community support and available resources can be crucial when choosing a tool for AWS credential management. Both AWS-Vault and Granted have their own ecosystems of support and community engagement, each with unique characteristics.
AWS-Vault
AWS-Vault is an open-source project with an active community. Due to its popularity and long history, AWS-Vault has been the subject of numerous blog posts, tutorials, and video guides created by community members. These resources often provide additional context, use cases, and integration examples that complement the official documentation.
AWS-Vault follows a community-driven release cycle. Updates may not be as frequent as commercially backed tools, but they tend to be stable and well-tested by the community before release.
Granted
Granted is a newer tool with a growing community. It is open-source just as AWS-Vault and is backed by a company (Common Fate), which provides both community and commercial support options. Granted provides comprehensive documentation on its official website. This includes getting started guides, API references, and best practices. The documentation is professionally maintained and regularly updated to reflect new features and improvements. Common Fate’s backing of Granted means that the tool benefits from dedicated development resources. This can lead to more frequent updates and a more structured roadmap for future features.
Use Cases and Scenarios
Let’s explore some specific use cases where each tool might excel:
AWS-Vault
AWS-Vault is ideal for developers who primarily interact with AWS through the command line. Its simple, command-based interface integrates seamlessly with terminal-centric workflows and its straightforward command-line interface makes it excellent for integration into scripts and automated processes. It is well-suited for environments with strict security requirements through its use of native OS keystores for credential storage.
Granted
Granted is excellent for organizations heavily invested in AWS SSO. It is beneficial for users who prefer visual interfaces and interactive sessions. Users who frequently switch between different AWS accounts or roles during their work sessions will appreciate Granted’s interactive interface and session management capabilities.
Integration with CI/CD Pipelines
Integrating AWS credential management tools into Continuous Integration and Continuous Deployment (CI/CD) pipelines is crucial for maintaining security and efficiency in automated workflows. Both AWS-Vault and Granted can be integrated into CI/CD pipelines.
AWS-Vault
AWS-Vault’s CLI-centric design aligns well with most CI/CD environments, which are typically command-line driven. It can inject temporary AWS credentials directly into the environment, which is ideal for CI/CD jobs. It supports non-interactive mode, essential for automated pipeline execution and it’s straightforward syntax of AWS-Vault commands makes it easy to incorporate into pipeline scripts.
Securely storing the master key or credentials for AWS-Vault in the CI/CD environment can be challenging. For pipelines that deploy to multiple AWS accounts, separate AWS-Vault commands may be needed for each account, potentially complicating scripts.
Granted
Granted offers specific features for CI/CD integration and can generate temporary credentials for pipeline use. It provides more streamlined handling of multi-account deployments. It allows for custom session durations, which can be tailored to pipeline needs. Its native SSO support can significantly simplify credential management in SSO environments. Setting up Granted in a CI/CD environment 6may require more initial configuration, especially for AWS SSO integration. Ensuring Granted is installed and updated in CI/CD runners can add complexity to pipeline management. Securing access to the SSO credentials in CI/CD environments remains crucial.
Best Practices and Integration
Both tools have their own set of best practices:
AWS-Vault
For AWS-Vault, it’s recommended to use separate profiles for different roles, implement the shortest feasible session durations, rotate credentials regularly, use MFA whenever possible, and clear sessions when not in use.
Granted
For Granted, best practices include organizing profiles by environment or purpose, utilizing role chaining for least privilege, configuring default session durations, using SSO where available, and maintaining a clean session state.
Both tools offer similar integration capabilities with shells, Docker, and scripts, making them versatile for various workflows.
Future Development and Roadmap
Understanding the future direction of these tools can help in making a long-term decision:
AWS-Vault
AWS-Vault follows community-driven development with a focus on maintaining simplicity and security. There are potential improvements planned in SSO support and session management.
Granted
Granted benefits from company-backed development with a clear roadmap. There are plans for enhanced multi-cloud support and ongoing improvements in UI/UX and advanced features.
Conclusion
In conclusion, both AWS-Vault and Granted are powerful tools for managing AWS credentials securely. AWS-Vault excels in simplicity and security, making it a great choice for users who prefer a straightforward command-line interface and don’t require advanced SSO features.
Granted, on the other hand, offers better support for modern AWS authentication methods. Its interactive interface, advanced SSO support, and robust session management make it an excellent choice for organizations with complex AWS setups or those heavily relying on SSO.
Ultimately, the choice between AWS-Vault and Granted will depend on your specific use cases, organizational requirements, and personal preferences. Consider factors such as your AWS account structure, SSO needs, team size, and preferred workflow when making your decision. Both tools have their strengths, and either can be an excellent addition to your AWS toolkit.