AWS CLI Credential Process
Protect your AWS Access Keys with Keeper Secrets Manager
Last updated
Was this helpful?
Protect your AWS Access Keys with Keeper Secrets Manager
Last updated
Was this helpful?
By default, the AWS CLI uses credentials stored in plaintext in ~/.aws/credentials
. With this credential process, you can now use the Keeper Vault to store your AWS credentials, removing the need to have them on disk.
Instead, AWS will use this executable to securely fetch your AWS credential from your Vault using the Keeper Secrets Manager (KSM).
Use a vaulted AWS Access Key to authenticate to the AWS CLI.
In order to utilize this integration, you will need:
Secrets Manager add-on enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
This integration only accepts JSON format configurations
Note: Field names are case-sensitive.
Once you have created your custom field, you can now use it to create a record for your AWS Access Key. This record should be stored in a shared folder that your KSM application has permission to access.
Once safely stored, you can delete the Access Key credentials from your AWS credential file.
The integration expects a KSM Application Configuration file at either .config/keeper/aws-credential-process.json
or aws-credential-process.json
relative to the user's home directory. It must have access to a Shared Folder containing the required AWS Access key.
Now in your AWS configuration file, which is usually located at ~/.aws/config
, add the following line to any profile you are using via the CLI.
Once configured as above, the AWS CLI will automatically fetch your authentication credential from the Keeper Vault. You can test that it works by using any CLI command in which you have an appropriate IAM role for, such as:
If the command completes without error, congratulations, you are now fully set up.
Keeper Secrets Manager access (See the for more details)
A Keeper with an Access Key shared to it
See the for instructions on creating an Application
An initialized
The installed
The first step in the setup of the integration is to add you AWS Access Key ID
and your Secret Access Key
to a record in your Vault. There is no built-in record type for this kind of secret; however, you can for this purpose alone.
In order to create new custom Record Types, the user must be in an Administrative role with the "Manage Record Types in Vault" .
For help in obtaining a KSM configuration in JSON format, .
After creating a new device get corresponding config.json
and copy it into user's home folder as aws-credential-process.json
of the keeper-aws-credential-process
executable from the GitHub releases page and store that in a convenient location.
Make sure there's no residual aws cli left on the machine which may be picked up automatically or on credential process misconfiguration.
This Credential Process is . If you need to report a bug or would like to request a feature to support more authentication use cases, please .