How to use a Password Manager to Store AWS Credentials

How to use a Password Manager to Store AWS Credentials

Table of Contents

I like to have a way of avoiding having to have access_key_ids and secret_access_keys locally configured on my Mac.

I already use the password manager 1Password which has a command line which enables the automation of tasks whilst protecting keys and tokens etc. Check out the 1Password website. To be clear, this is the one I use and I am not being paid, in any form, for this article.

Installation

As I have mentioned in other articles I use Homebrew to manage what is installed on my Mac. So, for this scenario, lets assume you are already using 1Password. The cli element is a separate installation and can be installed with Homebrew and verified as follows.

brew install --cask 1password/tap/1password-cli
op --version

Next, update ~/.zshrc with the following.

# Activate 1password Shell Completion
eval "$(op completion zsh)"; compdef _op op

And, finally, reload the ~/.zshrc.

. ~/.zshrc

Configuration

So to configure the 1Password CLI, a directory is required. As I have mentioned I am using a Mac so this will be different if you are using Microsoft Windows and to a lesser extent Linux. The directory is restricted as well. The command chmod 700 restricts the directory to the current logged on user, in this case me.

md ~/.config/op
chmod 700 ~/.config/op

In this article I am going to assume we are using only one AWS account and the account’s friendly name is blog. I have access to the access_key_id and secure_access_key to complete the configuration.

1Password Configuration

  1. Open 1Password
  2. Navigate to the item that holds the login details for the AWS account, click edit, and add a Section called Access Keys
  3. Add a new text field called access_key_id and populate
  4. Add a new password field called secret_access_key and populate
  5. Save

AWS CLI

To access the new fields in 1Password, configuration files are required for the 1Password CLI and then an alias is placed in ~/.zshrc to integrate with the AWS CLI.

As blog is the friendly name of the AWS account that is being configured, create its configuration file.

touch ~/.config/op/aws-blog

The syntax for the configuration file is.

AWS_ACCESS_KEY_ID=op://{vault}/{item}/access_key_id
AWS_SECRET_ACCESS_KEY=op://{vault}/{item}/secret_access_key

Where {vault} is the 1Password vault and {item} is the credential entry in that vault.

Finally, an alias should be added to ~/.zshrc to make it easy to execute.

alias aws-website='op run --env-file=$HOME/.config/op/aws-website -- aws'

Therefore all AWS CLI commands would be aws-website and not aws when interacting with this AWS account.

Reload the ~/.zshrc.

. ~/.zshrc

This completes the installation and configuration.

Tags :

Related Posts

Preparing for AWS re:Invent 2024

Preparing for AWS re:Invent 2024

Its getting close to that time of year again. This will be my third time at re:Invent and I am expecting it to be the same physical and mental workout that it has been in the past.

Read More
Using AWS to Host a Static Website - Part 6

Using AWS to Host a Static Website - Part 6

In part 5 I created the SSL certificates to use with the static website. In this post, I am going to deploy Amazon CloudFront for the CDN portion. Before I do that, I am going to upload the static HTML files that will be rendered.

Read More
TCP/IP Subnetting

TCP/IP Subnetting

If you’ve ever dived into networking or IT, you’ve likely come across the concept of subnetting. For many folks, subnetting can feel like a maze of numbers, acronyms, and rules. But once you understand the logic behind it, it becomes a lot easier to understand and do without using online calculators.

Read More