DEV Community

Cover image for Be gone AWS access keys

Posted on

Be gone AWS access keys

Many people start with a single AWS account, start reading up, find examples, create a new user with too much access and then setup access keys. These keys stay in your AWS cli credential file and this might not be such a great idea.

It's actually pretty easy to fix this problem, AWS have been busy working on organizations and AWS SSO, these two services will help setup up some structure for us to build on and resolve long lived access keys.

Both AWS organizations and AWS SSO are free!!

Why should I care

Keys living in a plain text file that don't expire is generally a bad idea. Anyone who gets access to those keys can use them, if someone is trying to access your keys it's probably not to pay your AWS bill.

Some more food for thought:

  • Malware targeting credential files
  • Developers committing credentials to a code repository

How does it work you say?

Basically, AWS SSO comes with it's own user directory. You might be familiar with the IAM user directory? The SSO one is purely for SSO, you can creates and assign users to groups and permissions.

If you have your own directory like Azure Active Directory you can also connect that up to AWS SSO and use that instead, which is pretty cool.

When you configure AWS SSO you'll also need to configure the AWS CLI (version 2). This will launch an authentication session via SSO and provide temporary credentials (1 hour) to your CLI session. Now, you'll have access to do what you need to do and if someone gets the keys (after your session has expired) they won't be any good. The next time your authenticate your keys will be updated and you'll be good to go.


When you setup AWS SSO within your AWS organizations you're only allowed to have one AWS SSO globally. So you'll need to pick a region, if you do go to create an SSO instance and you have one already you'll be notified to remove the current one first before creating the new one in your region.

Word of caution for CDK users

If you're a CDK fan just be aware, this is all doable but you'll need to implement a workaround to copy your version 1 cli temporary credentials into the old style version 1 credentials file as CDK doesn't support SSO just yet. There are heaps of open source fixes for this, some are pretty feature rich.

I'm using yawsso, so maybe check that one out. It's also pretty common to roll your own as it's basically just copying the creds from the ~/.aws/config to ~/.aws/credentials file.

More information

This should be enough to get you thinking about using AWS SSO and migrating to a more structured approach. If you get stuck or want some additional information I have done a much longer write up on my blog for those interested:

If you are using AWS organizations and AWS SSO I'd be keen to hear your experience so far, any tips etc.

Discussion (0)