This content originally appeared on DEV Community and was authored by Gernot Glawe
According to the well architected framework you should not store keys as cleartext. So why do you store your AWS credentials in a credential file as clear unencrypted text? The answer is: Because it is convenient! I show you a way to handle your static or SSS AWS credentials simple and secure.
You need three little tools:
Leap, the new leapp-cli and switchaws. You will get a zero byte credentials file, temporal credentials and command line handling with fast & easy installable tools
Quick Start for the impatient
Assuming you have an AWS SSO login and a profile called letsbuild. After installing the tools you can start the session with these two commands:
One
leapp session start letsbuild
Two
switch letsbuild
Before
ls -l ~/.aws/credentials
-rw-------@ 1 jdoe staff 0 3 Mär 12:45 /Users/jdoe/.aws/credentials
After
ls -l ~/.aws/credentials
-rw-------@ 1 jdoe staff 831 3 Mär 12:45 /Users/jdoe/.aws/credentials
and also filled environment variables like:
AWS_DEFAULT_REGION=eu-central-1
AWS_DEFAULT_PROFILE=letsbuild
AWS_REGION=eu-central-1
AWS_ACCESS_KEY_ID=ASIA3SHER36FBEBMXR22
AWS_SECRET_ACCESS_KEY=P9kWKJKgsOWBMOAW7a5aRI7apt31CXAuXpfNsoeC
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjECwaCWV1LXdlc3QtMSJGMEQCIE0KfNquOOCxf9UuXxgnWnvCeK6JeYWnqXmmz48fnzP+AiAwWRh7qnXXR8FkEfpkc5...9UmXa9PxI4Qj0ObcxLP8/YQBbIkCgs0+C7xWj/e1lmKhSLlhjRI04Mlj1Y9EomihaH/YEGEAXJ1sySpcgZJAHW6n02E7LvUAhV9ODYX66AFbRdqRrFZXIlDN5J0MalU18gNts3d1OA==
So you can start using the profile:
aws sts get-caller-identity
{
"UserId": "AIDAAAABBBBCCCAW",
"Account": "777555666888",
"Arn": "arn:aws:iam::777555666888:user/jdoe"
}
Alternative approaches
Using profiles only with leap
1) start session
leapp session start letsbuild
2) use profiles with each call:
aws sts get-caller-identity --profile letsbuild
Configure leaps for default profile
The downside:
The aws cli first looks for credentials in the environment variables. If it finds AWS_ACCESS_KEY_ID & co , the profile in the credentials file will not be used.
What do you get out of this approach?
Secure storage of credentials keys
- Not stored as clear text as file, but in the MAC key chain
Secure usage of temporal credentials
With AWS SSO you always get temporal credentials. With a static IAM user access key, you would use static credentials. leapp uses these static keys to generate temp credentials.
Easy installation and long term stability
I have used awsume a long time. Then I got a new Macbook and lost 1/2 hour installing different python versions. So I programmed switchaws in go to get a single executable. And, yes: I declare guilty of the "not invented here" syndrom :) .
Installation is straightforward:
1) copy the matching binary link in a directory which is in your $PATH
2) copy the wrapper tile also in that directory
3) Set an alias
and you are done!
Summary
Leapp works great with either static ACCESS_KEY or sso.
Thanks
Photo by Isaac Li Shung Tan on Unsplash
This content originally appeared on DEV Community and was authored by Gernot Glawe
Gernot Glawe | Sciencx (2023-03-05T13:33:59+00:00) Switch & Leapp-cli – AWS session management 100% command line. Retrieved from https://www.scien.cx/2023/03/05/switch-leapp-cli-aws-session-management-100-command-line/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.