In this quick post I will show howto use the password manager „password-store„1 to securely store your credentials used by the Amazon Webservices command line client.
The installation for Mac and Linux system is fairly easy:
$ pip install awscli
The credentials are stored as key-value pairs inside a PGP-encrypted file.
Everytime you call the AWS CLI tool, your keys will be decrypted and directly passed to the aws tool.
Use pass to add your keys in the store:
$ pass edit providers/aws
An editor opens. Use the following format:
User: stv0g
Access-Key: AKB3ASJGBS3GOMXK6KPSQ
Secret-Key: vAAABn/PMAksd235gAs/FSshhr42dg2D4EY3
Add the following snippet to your .bashrc:
function aws {
local PASS=$(pass providers/aws)
local AWS=$(which aws)
# Start original aws executable with short-lived keys
AWS_ACCESS_KEY_ID=$(sed -En 's/^Access-Key: (.*)/\1/p' <<< "$PASS") \
AWS_SECRET_ACCESS_KEY=$(sed -En 's/^Secret-Key: (.*)/\1/p' <<< "$PASS") $AWS $@
}
Then use the cli tool aws as usual:
$ aws iam list-access-keys
{ "AccessKeyMetadata": [ { "UserName": "stv0g", ...
- I covered password-store already a few times earlier: Use Yubikey and Password-store for Ansible credentials, Workshop: Security Token