Encrypted credentials for Amazon AWS command line client

In this quick post I will show howto use the password manager „password-store1 to securely store your credentials used by the Amazon Webservices command line client.
aws_cli

The installation for Mac and Linux system is fairly easy:
$ pip install awscli

The credentials are stored as key-value pairs inside a PGP-encrypted file.
Everytime you call the AWS CLI tool, your keys will be decrypted and directly passed to the aws tool.

Use pass to add your keys in the store:
$ pass edit providers/aws

An editor opens. Use the following format:
User: stv0g
Access-Key: AKB3ASJGBS3GOMXK6KPSQ
Secret-Key: vAAABn/PMAksd235gAs/FSshhr42dg2D4EY3

Add the following snippet to your .bashrc:

function aws {
	local PASS=$(pass providers/aws)
	local AWS=$(which aws)
 
	# Start original aws executable with short-lived keys
	AWS_ACCESS_KEY_ID=$(sed -En 's/^Access-Key: (.*)/\1/p' <<< "$PASS") \
	AWS_SECRET_ACCESS_KEY=$(sed -En 's/^Secret-Key: (.*)/\1/p' <<< "$PASS") $AWS $@
}

Then use the cli tool aws as usual:
$ aws iam list-access-keys
{ "AccessKeyMetadata": [ { "UserName": "stv0g", ...

  1. I covered password-store already a few times earlier: Use Yubikey and Password-store for Ansible credentialsWorkshop: Security Token

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.