Photo by Markus Spiske on Unsplash

How to Store Your AWS CLI Credentials Using KeepassXC

As cloud usage got widespread, command-line tools such as AWS CLI and Terraform became the bread-and-butter of daily infrastructure operations.

Today, how users store their credentials is one of the important security issues about these command-line tools as companies potentially have plain-text secrets of their sensitive cloud infrastructure in their employees’ home folders or repositories.

The solution to this issue is actually simple: using a password database on your computer ensures that your passwords, ssh keys, and browser passwords are encrypted safely every time you lock your computer and walk away.

KeepassXC is a password database that provides these features, and more. In this article, I am going to explain how to set it up to store your AWS CLI credentials securely and access them from the command line.

What are the options?

In AWS documentation, four methods are explained to provide your credentials:

1. Using ~/.aws/credentials file

You can manually create your ~/.aws/credentials file, or use aws configure and let AWS command-line tool create it. This is not a good security practice as your dog can also access your home directory.

2. Using environment variables

You can also provide/export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for authentication. If you store commands in your shell’s history, or e.g. do not have history ignore settings defined for your shell, doing this might be just the same as the first option in terms of security. having a .env file stored in an encrypted filesystem is an option, but rather cumbersome and potentially have high exposure.

3. Using pass

pass is a simple UNIX-based password manager that stores your passwords in a gpg-encrypted container file. This is a safe option, but if you are already using a cross-platform solution like KeepassXC with many more features, this might be just an additional tool to keep track of for you.

4. Using credential_process

AWS documentation states that we can use an external process that when run, just returns a JSON string that includes our credentials.

Here is the format of the expected JSON string:

{"Version": 1,"AccessKeyId": "an AWS access key","SecretAccessKey": "your AWS secret access key","SessionToken": "the AWS session token for temporary credentials","Expiration": "ISO8601 timestamp when the credentials expire"}

We will use this feature to fetch the credentials from our KeepassXC process if our database is unlocked.

Configuring KeepassXC to serve AWS credentials

Step 1. Create the script

Here is the script to get your credentials from KeepassXC:

secret-tool is a tool that uses libsecret to add and retrieve secrets from your keyring. In this instance, our keyring backend will be KeepassXC.

Step 2. Enable secret-service in KeepassXC

For KeepassXC to start its keyring daemon, we should enable KeepassXC’s secret service integration through Tools -> Settings:

And after that, we edit the entry secrets.kdbx (Our KeePass database file) to add a group of entries to your keyring. You may prefer to add just one group that includes the credentials that you are planning to use on the command line, which I would recommend:

After that, your secret service daemon should be running. If you get an error that states there is another secret service is running, this means you have another keyring daemon installed. If not used, killing/uninstalling the daemon will solve the problem.

Please note that you should have two entries, one named aws-access-key-id and the other named aws-secret-access-key for the script to retrieve the values in their password fields.

Step 3. Modify your ~/.aws/config file

Modify your ~/.aws/config file to call your script:


That’s it!

Backend developer with interest in big data analytics architectures and information security.