Securely Using AWS CLI Credentials with Summon

We all at one time or another will need to use the AWS CLI. My concern with using it locally has always been how the AWS CLI handles credentials.

Let’s take a look:

As you can see, all that happens when I give my AWS Access Key ID & Secret to aws configure is that a file is created in ~/.aws/credentials with them saved in plain-text. No bueno!

To resolve this, I turned to our trusty open source friend, Summon!

First, I created a secrets.yml file in my user’s home directory.

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are environment variable names that AWS CLI looks for when it starts up to consume those values first, if they exist. If they don’t exist, it will fallback to looking in ~/.aws for relevant config defaults and credentials.

!var aws/access_key_id and !var aws/access_key_secret are referencing OSX Keychain password items.

Since my Summon uses the secret provider, I can securely retrieve secret values from my OSX Keychain (Windows Credential Manager and Linux Keyring both work with this same Summon provider).

I used my own open source project to easily store them in my OSX Keychain called Conceal.

Finally, I don’t really want to always have to remember to type summon -f ~/secrets.yml aws in order to provide my aws-cli process with the environment variables, I want it to just happen naturally when I type aws… enter the alias command!

I added a line to my ~/.zshrc that includes my new alias for the aws command:

After restarting my terminal, I can now connect without plain-text credentials EVER reaching my local filesystem or persisting ANYWHERE for a longer duration than it takes my aws command to execute.

Happy Summoning!