How to keep your AWS Keys Safe on your terminal
One of the causes of AWS Keys leaks is configuring your AWS CLI by using the command aws configure; This can lead you to store your credentials in plain text under your home folder.
If you are using Linux or macOS, you may know about the Keychain and D-bus secret service, so let’s combine both things into a secure and robust solution to keep your keys safe.
We will use https://github.com/sorah/envchain as the primary tool to automate the keychain unlock, export the values into a subshell, and allow you to use them securely until your process finishes.
Clone and install the envchain tool from the sources at Github
Create a namespace to store your secure env vars (you can have multiples, one per client, per environment, per project, etc.) envchain --set production \ AWS_ACCESS_KEY_ID \ AWS_SECRET_ACCESS_KEY \ AWS_REGION Replace production with the name of your environment / AWS account
Start using it by adding the prefix envchain production aws sts get-caller-identity
Optional you can get into a subshell by doing this. envchain production bash Remember to close the session to remove your secrets from the env vars.
More information about
Don't stop here! You may be interested in reading
Damian Gitto Olguin
Follow us for more TeraTips