According to the well architected framework you should not store keys as cleartext. So why do you store your AWS credentials in a credential file as clear unencrypted text? The answer is: Because it is convenient! I show you a way to handle your static or SSS AWS credentials simple and secure.
You need three little tools:
Leap, the new leapp-cli and switchaws. You will get a zero byte credentials file, temporal credentials and command line handling with fast & easy installable tools
Quick Start for the impatient
Assuming you have an AWS SSO login and a profile called letsbuild. After installing the tools you can start the session with these two commands:
One
leapp session start letsbuild
Two
switch letsbuild
Before
ls -l ~/.aws/credentials
-rw-------@ 1 jdoe staff 0 3 Mär 12:45 /Users/jdoe/.aws/credentials
After
ls -l ~/.aws/credentials
-rw-------@ 1 jdoe staff 831 3 Mär 12:45 /Users/jdoe/.aws/credentials
and also filled environment variables like:
AWS_DEFAULT_REGION=eu-central-1
AWS_DEFAULT_PROFILE=letsbuild
AWS_REGION=eu-central-1
AWS_ACCESS_KEY_ID=ASIA3SHER36FBEBMXR22
AWS_SECRET_ACCESS_KEY=P9kWKJKgsOWBMOAW7a5aRI7apt31CXAuXpfNsoeC
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjECwaCWV1LXdlc3QtMSJGMEQCIE0KfNquOOCxf9UuXxgnWnvCeK6JeYWnqXmmz48fnzP+AiAwWRh7qnXXR8FkEfpkc5...9UmXa9PxI4Qj0ObcxLP8/YQBbIkCgs0+C7xWj/e1lmKhSLlhjRI04Mlj1Y9EomihaH/YEGEAXJ1sySpcgZJAHW6n02E7LvUAhV9ODYX66AFbRdqRrFZXIlDN5J0MalU18gNts3d1OA==
So you can start using the profile:
aws sts get-caller-identity
{
"UserId": "AIDAAAABBBBCCCAW",
"Account": "777555666888",
"Arn": "arn:aws:iam::777555666888:user/jdoe"
}
Alternative approaches
Using profiles only with leap
1) start session
leapp session start letsbuild
2) use profiles with each call:
aws sts get-caller-identity --profile letsbuild
Configure leaps for default profile
The downside:
The aws cli first looks for credentials in the environment variables. If it finds AWS_ACCESS_KEY_ID & co , the profile in the credentials file will not be used.
What do you get out of this approach?
Secure storage of credentials keys
- Not stored as clear text as file, but in the MAC key chain
Secure usage of temporal credentials
With AWS SSO you always get temporal credentials. With a static IAM user access key, you would use static credentials. leapp uses these static keys to generate temp credentials.
Easy installation and long term stability
I have used awsume a long time. Then I got a new Macbook and lost 1/2 hour installing different python versions. So I programmed switchaws in go to get a single executable. And, yes: I declare guilty of the "not invented here" syndrom :) .
Installation is straightforward:
1) copy the matching binary link in a directory which is in your $PATH
2) copy the wrapper tile also in that directory
3) Set an alias
and you are done!
Summary
Leapp works great with either static ACCESS_KEY or sso.
Thanks
Photo by Isaac Li Shung Tan on Unsplash
Top comments (0)