Securing AWS Environment Variables for CLI Authentication

    Objective

    To provide secure enviroment variables for AWS CLI authentication keys.

    Requirements

    Basic AWS CLI key usage

    Normally, we will run trough quick configuration $ aws configure or just put the AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY in .bashrc or .bash_profile on our Linux machine. Example as below.

    [aws-dev-user]
     export AWS_ACCESS_KEY_ID=AKIAIOSASDASCMCJSJSDD
     export AWS_SECRET_ACCESS_KEY=wJSxksWOAxlawEdkxExmpleWoaKey

    but that approach looks like a potential security risks where the plain password was barely exposed and you don't want to put yourself as point of contact to your cyber security/IT risk management team.

    Securing the KEYS

    To enhance and provide another layer of security, we can encrypt the key values and store it inside the UNIX password manager. All password live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.

    This is how we will use it.

    1. If you haven't set your gpg key yet, run below command,else skip this.

      $ gpg --gen-key

      Follow all the instructions prompted on your CLI screen. Don't forget to add passphrase key.

    2. Then,run below command to create the password store.

      $ pass init aws-dev-user
      mkdir: created directory '/home/vagrant/.password-store/'
      Password store initialized for aws

      Here, aws-dev-user is the ID of my GPG key.

    3. Next,add the keys into the password store

      $ pass insert aws/aws-access-key-id
      Enter password for aws/aws-access-key-id:
      Retype password for aws/aws-access-key-id:
      $ pass insert aws/aws-secret-access-key:
      Enter password for aws/aws-secret-access-key:
      Retype password for aws/aws-secret-access-key:
    4. Verify if the key was properly added

      $ pass
      Password Store
      └── aws-dev-user
      ├── aws-access-key-id
      └── aws-secret-access-key
    5. View the values each of the keys

      $ pass aws-dev-user/aws-access-key-id

      gpg-key-prompt

      enter the gpg-key passphrase,then you will get result as below

      $ pass aws-dev-user/aws-access-key-id
      AKIAIOSASDASCMCJSJSDD <-- the value shown here

      You can run the same command to view the aws-secret-access-key.

    6. Final step. Bind the command into our enviroment variables. Usually,it will be in .bashrc/.bash_profile file for Linux/UNIX machine. For my case, I'm using .bash_profile

      $ vim .bash_profile
      [aws-dev-user]
      export AWS_ACCESS_KEY_ID=$(pass aws-dev-user/aws-access-key-id)
      export AWS_SECRET_ACCESS_KEY=$(pass aws-dev-user/aws-secret-access-key)
      $ source .bash_profile <-- you will be prompted gpg-key

    Summary

    If you have multiple credentials belongs to multiple account such as admin,temp-user,db-user etc, just create another password store to hold the credentials by it's account. For example,

    $ pass
    Password Store
    └── aws-dev-user
        ├── aws-access-key-id
        └── aws-secret-access-key
    └── aws-admin-user
        ├── aws-access-key-id
        └── aws-secret-access-key
    └── aws-temp-user
        ├── aws-access-key-id
        └── aws-secret-access-key

    then your environment variables should look like below,

    [aws-dev-user]
    export AWS_ACCESS_KEY_ID=$(pass aws-dev-user/aws-access-key-id)
    export AWS_SECRET_ACCESS_KEY=$(pass aws-dev-user/aws-secret-access-key)
    [aws-admin-user]
    export AWS_ACCESS_KEY_ID=$(pass aws-admin-user/aws-access-key-id)
    export AWS_SECRET_ACCESS_KEY=$(pass aws-admin-user/aws-secret-access-key)
    [aws-temp-user]
    export AWS_ACCESS_KEY_ID=$(pass aws-temp-user/aws-access-key-id)
    export AWS_SECRET_ACCESS_KEY=$(pass aws-temp-user/aws-secret-access-key)

    We have done adding the AWS CLI credentials into the secure local vault. Now, let's make use of it with real use-case scenario on the following article: ~Coming soon...Build Custom AMI using Packer & provision EC2 using Terraform

    By @blog.farizizwan.com E-mail: [email protected]

    Copyright © 2020