globaldatanetmenu
#Security

.Secure handling of AWS api keys

Mar 22nd 2020-2 min read

At globaldatanet we always advocate a strong authentication when interacting with the AWS APIi. We happily recognize that SSO is now a part of the AWS CLI Version 2, but in our projects we still have to handle local IAM API access keys for our development and our customers. To mitigate the drawback of storing sensitive date as cleartext in your credentials file, we use AWS-Vault to store and access the API keys in a secure way.

How it works

AWS Vault is an opensource tool published under the MIT license. It stores IAM credentials in your local securtiy store. AWS Vault supports security backends for Mac OS, Linux and Windows. It is using the stored credentials to request temporary credentials from Amazons's STS service. Temporary credentials have a limited lifetime which reduces the risk of leaking. The temporary credentials are then exposed as environment variables to the executed process.

AWS Vault authentication flow

Installing

$ brew cask install aws-vault Warning: Cask 'aws-vault' is already installed.

Configuration

First you need to store new credentials in your vault.

aws-vault add test Enter Access Key ID: ABDCDEFDASDASF Enter Secret Access Key: 8TdTeIxTNunauw3ZlPhG72i9XU7j10HAFHJhzKY9 Added credentials to profile "test" in vault

Execute any command.

$ aws-vault exec test -- env | grep AWS AWS_VAULT=test AWS_DEFAULT_REGION=eu-central-1 AWS_REGION=eu-central-1 AWS_ACCESS_KEY_ID=%%% AWS_SECRET_ACCESS_KEY=%%% AWS_SESSION_TOKEN=%%% AWS_SECURITY_TOKEN=%%% AWS_SESSION_EXPIRATION=2020-03-24T15:15:40Z

For the full documentation check out the Github repository.

Tip

If you execute aws-vault without additional commands, it will start a new shell and expose the environment variables in this sub shell.

$ aws-vault exec test $ grep env AWS AWS_VAULT=test AWS_DEFAULT_REGION=eu-central-1 AWS_REGION=eu-central-1 AWS_ACCESS_KEY_ID=%%% AWS_SECRET_ACCESS_KEY=%%% AWS_SESSION_TOKEN=%%% AWS_SECURITY_TOKEN=%%% AWS_SESSION_EXPIRATION=2020-03-24T15:15:40Z

Github

Further information and the source code can be found here:

Github repository


Sascha Profile picture
Sascha LangeDevOps Engineer
Related Posts
Feb 14th 2024open blog

.AI TRiSM

Aug 14th 2023open blog

.Ensuring Compliance with Custom AWS Config Rules

May 25th 2023open blog

.Enterprise-scaled Self-Healing StackSets

globaldatanetCloud Development, Optimization & Automation

.Navigation

.Solutions

.Social

  • follow globaldatanet on instagram
  • follow globaldatanet on facebook
  • follow globaldatanet on twitter
  • follow globaldatanet on linkendin
  • follow globaldatanet on twitch
  • listen to our serverless world podcast
  • follow globaldatanet's tech rss feed
  • follow globaldatanet at github
© 2024 by globaldatanet. All Right Reserved
ImprintPrivacy Policy
Your privacy is important to us!

We use cookies on our website. Some of them are essential,while others help us to improve our online offer.
You can find more information in our Privacy policy