Securing AWS Environment Variables for CLI Authentication

Objective

To provide secure enviroment variables for AWS CLI authentication keys.

Requirements

• Pass CLI
• AWS CLI

Basic AWS CLI key usage

Normally, we will run trough quick configuration $ aws configure or just put the AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY in .bashrc or .bash_profile on our Linux machine. Example as below.

[aws-dev-user]
 export AWS_ACCESS_KEY_ID=AKIAIOSASDASCMCJSJSDD
 export AWS_SECRET_ACCESS_KEY=wJSxksWOAxlawEdkxExmpleWoaKey

but that approach looks like a potential security risks where the plain password was barely exposed and you don't want to put yourself as point of contact to your cyber security/IT risk management team.

Securing the KEYS

To enhance and provide another layer of security, we can encrypt the key values and store it inside the UNIX password manager. All password live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.

This is how we will use it.

1. If you haven't set your gpg key yet, run below command,else skip this.

   $ gpg --gen-key

   Follow all the instructions prompted on your CLI screen. Don't forget to add passphrase key.

2. Then,run below command to create the password store.

   $ pass init aws-dev-user
   mkdir: created directory '/home/vagrant/.password-store/'
   Password store initialized for aws

   Here, aws-dev-user is the ID of my GPG key.

3. Next,add the keys into the password store

   $ pass insert aws/aws-access-key-id
   Enter password for aws/aws-access-key-id:
   Retype password for aws/aws-access-key-id:
   $ pass insert aws/aws-secret-access-key:
   Enter password for aws/aws-secret-access-key:
   Retype password for aws/aws-secret-access-key:

4. Verify if the key was properly added

   $ pass
   Password Store
   └── aws-dev-user
   ├── aws-access-key-id
   └── aws-secret-access-key

5. View the values each of the keys

   $ pass aws-dev-user/aws-access-key-id

   

   enter the gpg-key passphrase,then you will get result as below

   $ pass aws-dev-user/aws-access-key-id
   AKIAIOSASDASCMCJSJSDD <-- the value shown here

   You can run the same command to view the aws-secret-access-key.

6. Final step. Bind the command into our enviroment variables. Usually,it will be in .bashrc/.bash_profile file for Linux/UNIX machine. For my case, I'm using .bash_profile

   $ vim .bash_profile
   [aws-dev-user]
   export AWS_ACCESS_KEY_ID=$(pass aws-dev-user/aws-access-key-id)
   export AWS_SECRET_ACCESS_KEY=$(pass aws-dev-user/aws-secret-access-key)
   $ source .bash_profile <-- you will be prompted gpg-key

Summary

If you have multiple credentials belongs to multiple account such as admin,temp-user,db-user etc, just create another password store to hold the credentials by it's account. For example,

$ pass
Password Store
└── aws-dev-user
    ├── aws-access-key-id
    └── aws-secret-access-key
└── aws-admin-user
    ├── aws-access-key-id
    └── aws-secret-access-key
└── aws-temp-user
    ├── aws-access-key-id
    └── aws-secret-access-key

then your environment variables should look like below,

[aws-dev-user]
export AWS_ACCESS_KEY_ID=$(pass aws-dev-user/aws-access-key-id)
export AWS_SECRET_ACCESS_KEY=$(pass aws-dev-user/aws-secret-access-key)
[aws-admin-user]
export AWS_ACCESS_KEY_ID=$(pass aws-admin-user/aws-access-key-id)
export AWS_SECRET_ACCESS_KEY=$(pass aws-admin-user/aws-secret-access-key)
[aws-temp-user]
export AWS_ACCESS_KEY_ID=$(pass aws-temp-user/aws-access-key-id)
export AWS_SECRET_ACCESS_KEY=$(pass aws-temp-user/aws-secret-access-key)

We have done adding the AWS CLI credentials into the secure local vault. Now, let's make use of it with real use-case scenario on the following article: ~Coming soon...Build Custom AMI using Packer & provision EC2 using Terraform

By @blog.farizizwan.com E-mail: [email protected]