Skip to content

Latest commit

 

History

History
54 lines (40 loc) · 2.48 KB

README.md

File metadata and controls

54 lines (40 loc) · 2.48 KB
Raw

AWS CLI credentials in 1Pass

🔑 Simply store sensitive AWS access keys used by CLI in 1Password

You want to use AWS CLI easily but easiest way is to store raw access keys in .aws/config file and its anti-pattern i think. For some time i try to found solution that will be easy to use and secure. Also it would be great if you dont need any random packages to make it work.

And here it is. AWS native thing that work for exampel with Terraform (official 1Password CLI plugin for AWS is not supported) and you can extend basic profile with another assume roles etc.

Its simple!
For this we are using only two comnponents

  • AWS CLI (with credential_process option)

  • 1Password CLI

  • Sign in with 1Password CLI op signin (sign into workspace where your item is stored)

  • Create bash file for example .aws/credentials-provider.sh and put inside this very simple code.

#!/bin/bash

# Check if the argument with 1Password item is provided
if [ -z "$1" ]; then
  echo "Please provide the name of the 1Pass item."
  exit 1
fi

# Take secret vriables from 1Password via CLI (password or touch id will be required)
access_key=$(op item get "$1" --field "access key id")
secret_access_key=$(op item get "$1" --field "secret access key")

# JSON output needed by AWS CLI
json_output="{\"Version\": 1, \"AccessKeyId\": \"$access_key\", \"SecretAccessKey\": \"$secret_access_key\"}"

# Print the JSON to stdout
echo "$json_output"

And then update your .aws/config file like that

[default]
credential_process = "/Users/my-user/.aws/credentials-provider.sh" "my-1pass-item-name-with-access-key"

# You can add any special params (for example MFA device)
region = eu-west-1
output = json

And thats it! 1Password CLI will get your item named my-main-account-access-key and fileds access key id and secret access key. Super thing is, that there is no cache that means for every request item will be fetched from 1Pass CLI again that means more security for us. 1Pass CLI will automatically check for additional verification and optionally require password/touch id.

Iam using this also with additional profiles that extends default profile via source_profile = default and then iam adding role_arn to connect into different accounts for my company/clients etc. Its good practice to secure bash file and allow only restricted execution!