We all at one time or another will need to use the AWS CLI. My concern with using it locally has always been how the AWS CLI handles credentials.
Let’s take a look:
As you can see, all that happens when I give my AWS Access Key ID & Secret to aws configure
is that a file is created in ~/.aws/credentials
with them saved in plain-text. No bueno!
To resolve this, I turned to our trusty open source friend, Summon!
First, I created a secrets.yml
file in my user’s home directory.
AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
are environment variable names that AWS CLI looks for when it starts up to consume those values first, if they exist. If they don’t exist, it will fallback to looking in ~/.aws
for relevant config defaults and credentials.
!var aws/access_key_id
and !var aws/access_key_secret
are referencing OSX Keychain password items.
Since my Summon uses the keyring.py secret provider, I can securely retrieve secret values from my OSX Keychain (Windows Credential Manager and Linux Keyring both work with this same Summon provider).
I used my own open source project to easily store them in my OSX Keychain called Conceal.
Finally, I don’t really want to always have to remember to type summon -f ~/secrets.yml aws
in order to provide my aws-cli process with the environment variables, I want it to just happen naturally when I type aws
… enter the alias
command!
I added a line to my ~/.zshrc
that includes my new alias for the aws
command:
After restarting my terminal, I can now connect without plain-text credentials EVER reaching my local filesystem or persisting ANYWHERE for a longer duration than it takes my aws
command to execute.
Happy Summoning!