Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed

Protecting AWS CLI credentials

Daniel Nashed – 20 August 2022 10:13:46

Hmmm ... I have been looking for a solution for a while and I was really surprised there is no good solution out there.

Docker for example has credentials helper to protect passwords.

I just found an approach to protect my AWS credentials and this brings up the secure key/value store I started to implement first in Domino and then on Linux level.

Usually your credentials would look like the following -  A simple to read file, which cannot be protected.
I mostly use AWS CL it in a root user context, which has high permissions on the machine anyway -- but there are also ways to protect data from the root account!

Example: .aws/credentials


aws_access_key_id = XKIAZOXNXRHW7IPXCBBB

aws_secret_access_key = SY7/bI68F9Notess3NGFE/O7G70TdvpuT7wwV9Xi

You can configure AWS CLI to get it's credentials from another program.
Obviously the bash example is not intended to be used in production.
But I will probably extend my secure key/value store project to return AWS credentials in JSON format.

If you have an application, which could safely return data, the configuration would look like this:

Example: .aws/credentials with credentials helper

[profile developer]

credential_process = /local/aws/ myaccount


Secure Key/Value store idea

My vault idea isn't new and I played with remote and local callers.

For remote callers a TLS enabled interface authenticated by IP and secret could make sense

Local callers could be controlled by process calling and other aspects.

Building a secure key/value store would involve storing the data encrypted on disk and the lookup key could be defined in the configuration. And a separate secret could be used to decrypt the blob.

I don't know how much interest would be out there for a generic tool, which might even help us to protect Domino server.ids.

The first version will be probably for my current needs instead of a generic tool.

I have played with OpenSSL encryption APIs some weeks ago.

Using AES 256 for encryption would be a good idea and isn't that difficult to implement -But it would result independency on OpenSSL.

Any feedback about this new idea is really appreciated.

- Would be a generic tool interesting?
- Would you have specific use cases?
- How do you protect your AWS credentials today?

-- Daniel



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]