How to Store Your AWS CLI Credentials Using KeepassXC
As cloud usage got widespread, command-line tools such as AWS CLI and Terraform became the industry standard for daily infrastructure operations.
Today, how users store their credentials is one of the important security issues about these command-line tools as companies potentially have plain-text secrets of their sensitive cloud infrastructure in home directories of devices, or repositories.
The solution to this issue is actually simple: using a password database on our computer ensures that our passwords, ssh keys, and browser passwords are encrypted safely every time we lock our computer and walk away.
KeepassXC is a password database that provides these features, and more. In this article, I am going to explain how to set it up to store our AWS CLI credentials securely and access them from the command line.
What are the options?
In AWS documentation, four methods are explained to provide our credentials:
1. Using ~/.aws/credentials file
We can manually create our ~/.aws/credentials file, or use aws configure and let AWS command-line tool create it. This is not a good security practice as our dog can also access our home directory.
2. Using environment variables
We can also provide/export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for authentication. If we store commands in our shell’s history, or e.g. do not have history ignore settings defined for our shell, doing this might be just the same as the first option in terms of security. having a .env file stored in an encrypted filesystem is an option, but rather cumbersome and potentially have high exposure.
3. Using pass
pass is a simple UNIX-based password manager that stores our passwords in a gpg-encrypted container file. This is a safe option, but if we are already using a cross-platform solution like KeepassXC with many more features, this might be just an additional tool to keep track of for us.
4. Using credential_process
AWS documentation states that we can use an external process that when run, just returns a JSON string that includes our credentials.
Here is the format of the expected JSON string:
{"Version": 1,"AccessKeyId": "an AWS access key","SecretAccessKey": "your AWS secret access key","SessionToken": "the AWS session token for temporary credentials","Expiration": "ISO8601 timestamp when the credentials expire"}
We will use this feature to fetch the credentials from our KeepassXC process if our database is unlocked.
Configuring KeepassXC to serve AWS credentials
Step 1. Create the script
Here is the script to get our credentials from KeepassXC:
secret-tool is a tool that uses libsecret to add and retrieve secrets from our keyring. In this instance, our keyring backend will be KeepassXC.
Step 2. Enable secret-service in KeepassXC
For KeepassXC to start its keyring daemon, we should enable KeepassXC’s secret service integration through Tools -> Settings:
And after that, we edit the entry secrets.kdbx (Our KeePass database file) to add a group of entries to our keyring. We may prefer to add just one group that includes the credentials that we are planning to use on the command line, which I would recommend:
After that, our secret service daemon should be running. If we get an error that states there is another secret service is running, this means we have another keyring daemon installed. If not used, killing/uninstalling the daemon will solve the problem.
Please note that we should have two entries, one named aws-access-key-id and the other named aws-secret-access-key for the script to retrieve the values in their password fields.
Step 3. Modifying ~/.aws/config file
Modify the ~/.aws/config file to call our script:
[default]
credential_process=/path/to/keepassxc-get-aws-credentials.sh
region=atlantis-east-1
output=jsonThat’s it!
