How to keep your AWS Keys Safe on your terminal

One of the causes of AWS Keys leaks is configuring your AWS CLI by using the command aws configure; This can lead you to store your credentials in plain text under your home folder.

If you are using Linux or macOS, you may know about the Keychain and D-bus secret service, so let’s combine both things into a secure and robust solution to keep your keys safe.

We will use https://github.com/sorah/envchain as the primary tool to automate the keychain unlock, export the values into a subshell, and allow you to use them securely until your process finishes.

• Clone and install the envchain tool from the sources at Github

• Create a namespace to store your secure env vars (you can have multiples, one per client, per environment, per project, etc.) envchain --set production \ AWS_ACCESS_KEY_ID \ AWS_SECRET_ACCESS_KEY \ AWS_REGION Replace production with the name of your environment / AWS account

• Start using it by adding the prefix envchain production aws sts get-caller-identity
  

• Optional you can get into a subshell by doing this. envchain production bash Remember to close the session to remove your secrets from the env vars.

More information about

• https://github.com/sorah/envchain

• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

• https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/

• https://es.wikipedia.org/wiki/GNOME_Keyring

• https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac

Don't stop here! You may be interested in reading

How to Deploy IAM Conditional Policies with Terraform

Damian Gitto Olguin

AWS Hero

Teracloud.io