top of page

How to keep your AWS Keys Safe on your terminal

One of the causes of AWS Keys leaks is configuring your AWS CLI by using the command aws configure; This can lead you to store your credentials in plain text under your home folder.

If you are using Linux or macOS, you may know about the Keychain and D-bus secret service, so let’s combine both things into a secure and robust solution to keep your keys safe.


We will use as the primary tool to automate the keychain unlock, export the values into a subshell, and allow you to use them securely until your process finishes.

  • Clone and install the envchain tool from the sources at Github

  • Create a namespace to store your secure env vars (you can have multiples, one per client, per environment, per project, etc.) envchain --set production \ AWS_ACCESS_KEY_ID \ AWS_SECRET_ACCESS_KEY \ AWS_REGION Replace production with the name of your environment / AWS account

  • Start using it by adding the prefix envchain production aws sts get-caller-identity

  • Optional you can get into a subshell by doing this. envchain production bash Remember to close the session to remove your secrets from the env vars.

More information about

Don't stop here! You may be interested in reading


Damian Gitto Olguin

AWS Hero


Entradas recientes
Buscar por tags
  • Twitter Basic Square
bottom of page