In this quick post I will show you how to use the password manager “password-store”1 to securely store your credentials used by the Amazon Webservices command line client.
AWS CLI Logo.
The installation for Mac and Linux system is fairly easy:
pip install awscli
The credentials are stored as key-value pairs inside a PGP-encrypted file. Every time you call the AWS CLI tool, your keys will be decrypted and directly passed to the aws tool.
Use pass to add your keys in the store:
pass edit providers/aws
An editor opens. Use the following format:
User: stv0gAccess-Key: AKB3ASJGBS3GOMXK6KPSQS...In this quick post I will show you how to use the password manager “password-store”1 to securely store your credentials used by the Amazon Webservices command line client.
AWS CLI Logo.
The installation for Mac and Linux system is fairly easy:
pip install awscli
The credentials are stored as key-value pairs inside a PGP-encrypted file. Every time you call the AWS CLI tool, your keys will be decrypted and directly passed to the aws tool.
Use pass to add your keys in the store:
pass edit providers/aws
An editor opens. Use the following format:
User: stv0gAccess-Key: AKB3ASJGBS3GOMXK6KPSQSecret-Key: vAAABn/PMAksd235gAs/FSshhr42dg2D4EY3
Add the following snippet to your ~/.bashrc:
function aws { local PASS=$(pass providers/aws) local AWS=$(which aws) # Start original aws executable with short-lived keys AWS_ACCESS_KEY_ID=$(sed -En 's/^Access-Key: (.*)/\1/p' <<< "$PASS") \ AWS_SECRET_ACCESS_KEY=$(sed -En 's/^Secret-Key: (.*)/\1/p' <<< "$PASS") $AWS $@}
Then use the cli tool aws as usual:
aws iam list-access-keys { "AccessKeyMetadata": [ { "UserName": "stv0g", ...`
I covered password-store already a few times earlier: Use YubiKey and Password-store for Ansible credentials, Workshop: Security Token. ↩