AWS CLI - How do I encrypt the credentials

Question

When using aws configure, the credentials are stored on my workstation in clear text. This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed. I am using Terraform AND the aws cli directly, so a work-aroundneeds to support this.

Example:

[MyProfile]
aws_access_key_id = xxxxxxxxxxxxxxx
aws_secret_access_key = yyyyyyyyyyyyyyyyyy
region=us-east-2
output=json

Answer 1

I came across this link a while back and thought it was excelent in explaining all the different options that you can try to solve the problem that you described above.

https://ben11kehoe.medium.com/never-put-aws-temporary-credentials-in-env-vars-or-credentials-files-theres-a-better-way-25ec45b4d73e

Answer 2

This is the simplest work-around I could find. References:

https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.secretmanagement/?view=ps-modules

The following powershell creates an encrypted vault.

#This will destroy existing AWS vault
#The Vault will be set accessible to the current User with no password.
#When AWS CLI invokes this there is no way to request a password.

Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore

Set-SecretStoreConfiguration -Authentication None -Scope CurrentUser -Interaction None

Register-SecretVault -Name "AWS" -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber

Set-Secret -Vault "AWS" -Name "test" -Secret "test" 

Get-SecretVault

Write-Host "Vault Created"

This powershell can create the secret. Notice it is possible to expire the secret.

$profile = Read-Host -Prompt "Enter AWS Account Number" 
$aws_access_key_id = Read-Host -Prompt "Enter AWS access key"
$aws_secret_access_key = Read-Host -Prompt "Enter AWS secret access key"


$secretIn = @{
  Version=1;
  AccessKeyId= $aws_access_key_id;
  SecretAccessKey=$aws_secret_access_key;
  SessionToken= $null; #"the AWS session token for temporary credentials";
  #Expiration="ISO8601 timestamp when the credentials expire";
} 

$secret = ConvertTo-Json -InputObject $secretIn

Set-Secret -Name $profile -Secret $secret

This file named credential_process.cmd needs to located on the path or next to terrform.exe.

@echo off
REM This file needs to be accessible to the aws cli or programs using it.
REM To support other paths, copy it to C:\Program Files\Amazon\AWSCLIV2
Powershell.exe -Command  "Get-Secret -Vault AWS -Name %1 -AsPlainText "

Finally in your {user}.aws\\credentials file place the following entry:

[XXXXX-us-east-1]
credential_process = credential_process.cmd "XXXXX"
region=us-east-1
output=json

Now you can run an aws cli command (or Terraform) using:

aws ec2 describe-vpcs --profile XXXXX-us-east-1 

Drawbacks:

• There is no way to prevent a user from using the simple aws configure statement and storing credentials in the clear.
• There is no way to force an admin to use this method.

Like everything else AWS:

• The complexity it unnecessary.
• The documentation is very detailed, but somehow always missing important information.
• Everything is a hack-job.

Possibilities:

• It is possible to create a user (User1) that has access only to a certain secret in secret manager (User2 credentials).
• User1 credentials are stored in the local Vault.
• User1 would fetch the User2 credentials to be used from Secret Manager during invokation of credential_process.cmd
• Person is never given the User2 credentials directly.
• This would force the user to use method above.
• However, the implementation of this should be in the aws configure, not hacked together. This would allow other dependent tools to just work once the configuration is complete.

Answer 3

This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed.

Running on AWS you can use the instance role (for EC2, Lambda or ECS).

Running outside AWS there is not much better option. If someone get access to the home directory, it's not your computer anymore. However - the credentials can be as well passed as env variables or cli/api parameters.

These can be encrypted and decrypted or requested when to be used, but still you need access to the decryption key or service.

Answer 4

you can actually use something like aws-vault : it stores the secrets in the local keychain, and basically creates a temporary shell with the creds as env variables, or you can just exec a specific command without creating a whole shell.

also another similar tool is vaulted that stores credentials in an encrypted file and creates a temporary shell session when you wanna use it