Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Protecting AWS CLI credentials

Daniel Nashed  20 August 2022 12:13:46

Hmmm ... I have been looking for a solution for a while and I was really surprised there is no good solution out there.


Docker for example has credentials helper to protect passwords.

I just found an approach to protect my AWS credentials and this brings up the secure key/value store I started to implement first in Domino and then on Linux level.


Usually your credentials would look like the following -  A simple to read file, which cannot be protected.
I mostly use AWS CL it in a root user context, which has high permissions on the machine anyway -- but there are also ways to protect data from the root account!

Example: .aws/credentials

[default]

aws_access_key_id = XKIAZOXNXRHW7IPXCBBB

aws_secret_access_key = SY7/bI68F9Notess3NGFE/O7G70TdvpuT7wwV9Xi



You can configure AWS CLI to get it's credentials from another program.
Obviously the bash example is not intended to be used in production.
But I will probably extend my secure key/value store project to return AWS credentials in JSON format.

If you have an application, which could safely return data, the configuration would look like this:


Example: .aws/credentials with credentials helper


[profile developer]

credential_process = /local/aws/credentials.sh myaccount


Reference:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html


Secure Key/Value store idea


My vault idea isn't new and I played with remote and local callers.

For remote callers a TLS enabled interface authenticated by IP and secret could make sense

Local callers could be controlled by process calling and other aspects.


Building a secure key/value store would involve storing the data encrypted on disk and the lookup key could be defined in the configuration. And a separate secret could be used to decrypt the blob.


I don't know how much interest would be out there for a generic tool, which might even help us to protect Domino server.ids.

The first version will be probably for my current needs instead of a generic tool.


I have played with OpenSSL encryption APIs some weeks ago.

Using AES 256 for encryption would be a good idea and isn't that difficult to implement -But it would result independency on OpenSSL.


Any feedback about this new idea is really appreciated.

- Would be a generic tool interesting?
- Would you have specific use cases?
- How do you protect your AWS credentials today?


-- Daniel


Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]