When using aws configure, the credentials are stored on my workstation in clear text. This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed. I am using Terraform AND the aws cli directly, so a work-aroundneeds to support this.
Example:
[MyProfile]
aws_access_key_id = xxxxxxxxxxxxxxx
aws_secret_access_key = yyyyyyyyyyyyyyyyyy
region=us-east-2
output=json
CodePudding user response:
This is the simplest work-around I could find. References:
https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
The following powershell creates an encrypted vault.
#This will destroy existing AWS vault
#The Vault will be set accessible to the current User with no password.
#When AWS CLI invokes this there is no way to request a password.
Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore
Set-SecretStoreConfiguration -Authentication None -Scope CurrentUser -Interaction None
Register-SecretVault -Name "AWS" -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber
Set-Secret -Vault "AWS" -Name "test" -Secret "test"
Get-SecretVault
Write-Host "Vault Created"
This powershell can create the secret. Notice it is possible to expire the secret.
$profile = Read-Host -Prompt "Enter AWS Account Number"
$aws_access_key_id = Read-Host -Prompt "Enter AWS access key"
$aws_secret_access_key = Read-Host -Prompt "Enter AWS secret access key"
$secretIn = @{
Version=1;
AccessKeyId= $aws_access_key_id;
SecretAccessKey=$aws_secret_access_key;
SessionToken= $null; #"the AWS session token for temporary credentials";
#Expiration="ISO8601 timestamp when the credentials expire";
}
$secret = ConvertTo-Json -InputObject $secretIn
Set-Secret -Name $profile -Secret $secret
This file named credential_process.cmd needs to located on the path or next to terrform.exe.
@echo off
REM This file needs to be accessible to the aws cli or programs using it.
REM To support other paths, copy it to C:\Program Files\Amazon\AWSCLIV2
Powershell.exe -Command "Get-Secret -Vault AWS -Name %1 -AsPlainText "
Finally in your {user}.aws\credentials file place the following entry:
[XXXXX-us-east-1]
credential_process = credential_process.cmd "XXXXX"
region=us-east-1
output=json
Now you can run an aws cli command (or Terraform) using:
aws ec2 describe-vpcs --profile XXXXX-us-east-1
Drawbacks:
- There is no way to prevent a user from using the simple aws configure statement and storing credentials in the clear.
- There is no way to force an admin to use this method.
Like everything else AWS:
- The complexity it unnecessary.
- The documentation is very detailed, but somehow always missing important information.
- Everything is a hack-job.
Possibilities:
- It is possible to create a user (User1) that has access only to a certain secret in secret manager (User2 credentials).
- User1 credentials are stored in the local Vault.
- User1 would fetch the User2 credentials to be used from Secret Manager during invokation of credential_process.cmd
- Person is never given the User2 credentials directly.
- This would force the user to use method above.
- However, the implementation of this should be in the aws configure, not hacked together. This would allow other dependent tools to just work once the configuration is complete.
CodePudding user response:
This is a HUGE security violation. I tried opening an issue at the aws cli github and it was summarily closed.
Running on AWS you can use the instance role (for EC2, Lambda or ECS).
Running outside AWS there is not much better option. If someone get access to the home directory, it's not your computer anymore. However - the credentials can be as well passed as env variables or cli/api parameters.
These can be encrypted and decrypted or requested when to be used, but still you need access to the decryption key or service.
CodePudding user response:
I came across this link a while back and thought it was excellent in explaining all the different options that you can try to solve the problem that you described above.