Protecting AWS CLI credentials
Daniel Nashed – 20 August 2022 10:13:46
Hmmm ... I have been looking for a solution for a while and I was really surprised there is no good solution out there.
Docker for example has credentials helper to protect passwords.
I just found an approach to protect my AWS credentials and this brings up the secure key/value store I started to implement first in Domino and then on Linux level.
Usually your credentials would look like the following - A simple to read file, which cannot be protected.
I mostly use AWS CL it in a root user context, which has high permissions on the machine anyway -- but there are also ways to protect data from the root account!
Example: .aws/credentials
[default]
aws_access_key_id = XKIAZOXNXRHW7IPXCBBB
aws_secret_access_key = SY7/bI68F9Notess3NGFE/O7G70TdvpuT7wwV9Xi
You can configure AWS CLI to get it's credentials from another program.
Obviously the bash example is not intended to be used in production.
But I will probably extend my secure key/value store project to return AWS credentials in JSON format.
If you have an application, which could safely return data, the configuration would look like this:
Example: .aws/credentials with credentials helper
[profile developer]
credential_process = /local/aws/credentials.sh myaccount
Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
Secure Key/Value store idea
My vault idea isn't new and I played with remote and local callers.
For remote callers a TLS enabled interface authenticated by IP and secret could make sense
Local callers could be controlled by process calling and other aspects.
Building a secure key/value store would involve storing the data encrypted on disk and the lookup key could be defined in the configuration. And a separate secret could be used to decrypt the blob.
I don't know how much interest would be out there for a generic tool, which might even help us to protect Domino server.ids.
The first version will be probably for my current needs instead of a generic tool.
I have played with OpenSSL encryption APIs some weeks ago.
Using AES 256 for encryption would be a good idea and isn't that difficult to implement -But it would result independency on OpenSSL.
Any feedback about this new idea is really appreciated.
- Would be a generic tool interesting?
- Would you have specific use cases?
- How do you protect your AWS credentials today?
-- Daniel
- Comments [4]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}