Photo by Markus Spiske on Unsplash

How to Store Your AWS CLI Credentials Using KeepassXC

As cloud usage got widespread, command-line tools such as AWS CLI and Terraform became the bread-and-butter of daily infrastructure operations.

What are the options?

In AWS documentation, four methods are explained to provide your credentials:

1. Using ~/.aws/credentials file

You can manually create your ~/.aws/credentials file, or use aws configure and let AWS command-line tool create it. This is not a good security practice as your dog can also access your home directory.

2. Using environment variables

You can also provide/export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for authentication. If you store commands in your shell’s history, or e.g. do not have history ignore settings defined for your shell, doing this might be just the same as the first option in terms of security. having a .env file stored in an encrypted filesystem is an option, but rather cumbersome and potentially have high exposure.

3. Using pass

pass is a simple UNIX-based password manager that stores your passwords in a gpg-encrypted container file. This is a safe option, but if you are already using a cross-platform solution like KeepassXC with many more features, this might be just an additional tool to keep track of for you.

4. Using credential_process

AWS documentation states that we can use an external process that when run, just returns a JSON string that includes our credentials.

{"Version": 1,"AccessKeyId": "an AWS access key","SecretAccessKey": "your AWS secret access key","SessionToken": "the AWS session token for temporary credentials","Expiration": "ISO8601 timestamp when the credentials expire"}

Configuring KeepassXC to serve AWS credentials

Step 1. Create the script

Here is the script to get your credentials from KeepassXC:

Step 2. Enable secret-service in KeepassXC

For KeepassXC to start its keyring daemon, we should enable KeepassXC’s secret service integration through Tools -> Settings:

Step 3. Modify your ~/.aws/config file

Modify your ~/.aws/config file to call your script:

[default]
credential_process=/path/to/keepassxc-get-aws-credentials.sh
region=atlantis-east-1
output=json

Backend developer with interest in big data analytics architectures and information security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store