Updated: 7 days ago
One of the causes of AWS Keys leaks is configuring your AWS CLI by using the command aws configure; This can lead you to store your credentials in plain text under your home folder.
If you are using Linux or macOS, you may know about the Keychain and D-bus secret service, so let’s combine both things into a secure and robust solution to keep your keys safe.
We will use https://github.com/sorah/envchain as the primary tool to automate the keychain unlock, export the values into a subshell, and allow you to use them securely until your process finishes.
Clone and install the envchain tool from the sources at Github
Create a namespace to store your secure env vars (you can have multiples, one per client, per environment, per project, etc.)
envchain --set production \
AWS_ACCESS_KEY_ID \
AWS_SECRET_ACCESS_KEY \
AWS_REGION
Replace production with the name of your environment / AWS account
Start using it by adding the prefix
envchain production aws sts get-caller-identity
Optional you can get into a subshell by doing this.
envchain production bash
Remember to close the session to remove your secrets from the env vars.
More information about
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/
https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac
Don't stop here! You may be interested in reading