AWS CLI Credential Process
Protect your AWS Access Keys with Keeper Secrets Manager
About
By default, the AWS CLI uses credentials stored in plaintext in ~/.aws/credentials
. With this credential process, you can now use the Keeper Vault to store your AWS credentials, removing the need to have them on disk.
Instead, AWS will use this executable to securely fetch your AWS credential from your Vault using the Keeper Secrets Manager (KSM).
Features
Use a vaulted AWS Access Key to authenticate to the AWS CLI.
Prerequisites
In order to utilize this integration, you will need:
Keeper Secrets Manager access (See the Quick Start Guide for more details)
Secrets Manager add-on enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
A Keeper Secrets Manager Application with an Access Key shared to it
See the Quick Start Guide for instructions on creating an Application
An initialized Keeper Secrets Manager Configuration
This integration only accepts JSON format configurations
The AWS CLI v2 installed
Setup
Vault
The first step in the setup of the integration is to add you AWS Access Key ID
and your Secret Access Key
to a record in your Vault. There is no built-in record type for this kind of secret; however, you can create a custom record for this purpose alone.
In order to create new custom Record Types, the user must be in an Administrative role with the "Manage Record Types in Vault" permission activated.
Note: Field names are case-sensitive.
Once you have created your custom field, you can now use it to create a record for your AWS Access Key. This record should be stored in a shared folder that your KSM application has permission to access.
Once safely stored, you can delete the Access Key credentials from your AWS credential file.
KSM
The integration expects a KSM Application Configuration file at either .config/keeper/aws-credential-process.json
or aws-credential-process.json
relative to the user's home directory. It must have access to a Shared Folder containing the required AWS Access key.
For help in obtaining a KSM configuration in JSON format, follow these instructions.
After creating a new device get corresponding config.json
and copy it into user's home folder as aws-credential-process.json
AWS Config
Download the latest version of the keeper-aws-credential-process
executable from the GitHub releases page and store that in a convenient location.
Now in your AWS configuration file, which is usually located at ~/.aws/config
, add the following line to any profile you are using via the CLI.
Make sure there's no residual aws cli configuration left on the machine which may be picked up automatically or on credential process misconfiguration.
Usage
Once configured as above, the AWS CLI will automatically fetch your authentication credential from the Keeper Vault. You can test that it works by using any CLI command in which you have an appropriate IAM role for, such as:
If the command completes without error, congratulations, you are now fully set up.
Feature Request / Report an Issue
This Credential Process is open source and can be found on GitHub. If you need to report a bug or would like to request a feature to support more authentication use cases, please create a GitHub issue.
Last updated