When using aws configure, the credentials are stored on my workstation in clear text. This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed. I am using Terraform AND the aws cli directly, so a work-aroundneeds to support this.
Example:
[MyProfile]
aws_access_key_id = xxxxxxxxxxxxxxx
aws_secret_access_key = yyyyyyyyyyyyyyyyyy
region=us-east-2
output=json
I came across this link a while back and thought it was excelent in explaining all the different options that you can try to solve the problem that you described above.
This is the simplest work-around I could find. References:
https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
The following powershell creates an encrypted vault.
#This will destroy existing AWS vault
#The Vault will be set accessible to the current User with no password.
#When AWS CLI invokes this there is no way to request a password.
Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore
Set-SecretStoreConfiguration -Authentication None -Scope CurrentUser -Interaction None
Register-SecretVault -Name "AWS" -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber
Set-Secret -Vault "AWS" -Name "test" -Secret "test"
Get-SecretVault
Write-Host "Vault Created"
This powershell can create the secret. Notice it is possible to expire the secret.
$profile = Read-Host -Prompt "Enter AWS Account Number"
$aws_access_key_id = Read-Host -Prompt "Enter AWS access key"
$aws_secret_access_key = Read-Host -Prompt "Enter AWS secret access key"
$secretIn = @{
Version=1;
AccessKeyId= $aws_access_key_id;
SecretAccessKey=$aws_secret_access_key;
SessionToken= $null; #"the AWS session token for temporary credentials";
#Expiration="ISO8601 timestamp when the credentials expire";
}
$secret = ConvertTo-Json -InputObject $secretIn
Set-Secret -Name $profile -Secret $secret
This file named credential_process.cmd needs to located on the path or next to terrform.exe.
@echo off
REM This file needs to be accessible to the aws cli or programs using it.
REM To support other paths, copy it to C:\Program Files\Amazon\AWSCLIV2
Powershell.exe -Command "Get-Secret -Vault AWS -Name %1 -AsPlainText "
Finally in your {user}.aws\\credentials file place the following entry:
[XXXXX-us-east-1]
credential_process = credential_process.cmd "XXXXX"
region=us-east-1
output=json
Now you can run an aws cli command (or Terraform) using:
aws ec2 describe-vpcs --profile XXXXX-us-east-1
Drawbacks:
Like everything else AWS:
Possibilities:
This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed.
Running on AWS you can use the instance role (for EC2, Lambda or ECS).
Running outside AWS there is not much better option. If someone get access to the home directory, it's not your computer anymore. However - the credentials can be as well passed as env variables or cli/api parameters.
These can be encrypted and decrypted or requested when to be used, but still you need access to the decryption key or service.
you can actually use something like aws-vault : it stores the secrets in the local keychain, and basically creates a temporary shell with the creds as env variables, or you can just exec a specific command without creating a whole shell.
also another similar tool is vaulted that stores credentials in an encrypted file and creates a temporary shell session when you wanna use it
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.