AWS CLI - How do I encrypt the credentials

Question

When using aws configure, the credentials are stored on my workstation in clear text. This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed. I am using Terraform AND the aws cli directly, so a work-aroundneeds to support this.

Example:

[MyProfile]
aws_access_key_id = xxxxxxxxxxxxxxx
aws_secret_access_key = yyyyyyyyyyyyyyyyyy
region=us-east-2
output=json

Answer 1

This is the simplest work-around I could find. References:

https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.secretmanagement/?view=ps-modules

The following powershell creates an encrypted vault.

#This will destroy existing AWS vault
#The Vault will be set accessible to the current User with no password.
#When AWS CLI invokes this there is no way to request a password.

Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore

Set-SecretStoreConfiguration -Authentication None -Scope CurrentUser -Interaction None

Register-SecretVault -Name "AWS" -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber

Set-Secret -Vault "AWS" -Name "test" -Secret "test" 

Get-SecretVault

Write-Host "Vault Created"

This powershell can create the secret. Notice it is possible to expire the secret.

$profile = Read-Host -Prompt "Enter AWS Account Number" 
$aws_access_key_id = Read-Host -Prompt "Enter AWS access key"
$aws_secret_access_key = Read-Host -Prompt "Enter AWS secret access key"


$secretIn = @{
  Version=1;
  AccessKeyId= $aws_access_key_id;
  SecretAccessKey=$aws_secret_access_key;
  SessionToken= $null; #"the AWS session token for temporary credentials";
  #Expiration="ISO8601 timestamp when the credentials expire";
} 

$secret = ConvertTo-Json -InputObject $secretIn

Set-Secret -Name $profile -Secret $secret

This file named credential_process.cmd needs to located on the path or next to terrform.exe.

@echo off
REM This file needs to be accessible to the aws cli or programs using it.
REM To support other paths, copy it to C:\Program Files\Amazon\AWSCLIV2
Powershell.exe -Command  "Get-Secret -Vault AWS -Name %1 -AsPlainText "

Finally in your {user}.aws\credentials file place the following entry:

[XXXXX-us-east-1]
credential_process = credential_process.cmd "XXXXX"
region=us-east-1
output=json

Now you can run an aws cli command (or Terraform) using:

aws ec2 describe-vpcs --profile XXXXX-us-east-1 

Drawbacks:

• There is no way to prevent a user from using the simple aws configure statement and storing credentials in the clear.
• There is no way to force an admin to use this method.

Like everything else AWS:

• The complexity it unnecessary.
• The documentation is very detailed, but somehow always missing important information.
• Everything is a hack-job.

Possibilities:

• It is possible to create a user (User1) that has access only to a certain secret in secret manager (User2 credentials).
• User1 credentials are stored in the local Vault.
• User1 would fetch the User2 credentials to be used from Secret Manager during invokation of credential_process.cmd
• Person is never given the User2 credentials directly.
• This would force the user to use method above.
• However, the implementation of this should be in the aws configure, not hacked together. This would allow other dependent tools to just work once the configuration is complete.

Answer 2

you can actually use something like aws-vault: it stores the secrets in the local keychain, and basically creates a temporary shell with the creds as env variables, or you can just exec a specific command without creating a whole shell.

also another similar tool is vaulted that stores credentials in an encrypted file and creates a temporary shell session when you wanna use it