/aws-profile-gpg

🔐 ☁️ Run aws-cli commands using IAM Access Keys stored in a GPG-encrypted credentials file

Primary LanguagePythonMIT LicenseMIT

aws-profile-gpg

A script for calling the aws-cli using IAM Access Keys from a GPG encrypted credentials file.

The script is inspired by the various aws-profile wrappers found on GitHub, plus a desire to keep credentials encrypted at rest.

Benefits

1. Your secret access keys are encrypted at rest on disk so if someone gains access to your machine, they still won't have access to your AWS credentials

2. You can safely store your encrypted credentials in Dropbox or on a server so you can access the same config and credentials files from multiple machines

3. Since the script works by decrypting the credentials file and adding AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to the processes environment, you can use it with other apps the use these environment variables, e.g. Terraform

4. If you use an OpenGPG card such as a Yubikey as a private key, it will effectively act as a hardware MFA device for your access keys

Details and use cases are outlined in Usage below.

Prerequisites

This guide assumes you are familiar GPG and are able to encrypt your credentials file. If you are not familiar with GPG, there are a number of good tutorials online.

Install

Using Homebrew

brew bundle

or

brew tap jefforulez/jefforulez
brew install aws-profile-gpg

Using PyPI

pip install aws-profile-gpg

Usage

Basic usage

usage: aws-profile-gpg [-h] [-v] command [command ...]

positional arguments:
  command        command passed to aws cli

optional arguments:
  -h, --help     show this help message and exit
  -v, --verbose  verbose output

Using the default configuration

aws-profile-gpg aws s3 ls

Specifying an aws profile

AWS_PROFILE=iam_leet \
  aws-profile-gpg aws s3 ls

Specifying an alternative credentials file

AWS_ENCRYPTED_CREDENTIALS_FILE=/path/to/shared/aws/credentials.asc \
  aws-profile-gpg aws s3 ls

Specifying an alternative config file

AWS_CONFIG_FILE=/path/to/shared/aws/config \
  aws-profile-gpg aws s3 ls

Storing config and credentials files in Dropbox

AWS_CONFIG_FILE=${HOME}/Dropbox/etc/aws/config \
  AWS_ENCRYPTED_CREDENTIALS_FILE=${HOME}/Dropbox/aws/credentials.gpg \
  aws-profile-gpg aws s3 ls

Using with terraform

AWS_PROFILE=terraform \
  aws-profile-gpg terraform -plan

Environmental Variables

  • AWS_PROFILE_GPG_HOME

    • Path to aws-profile-gpg directory; Used to locate virtualenv and python script
    • Defaults to /usr/local/opt/aws-profile-gpg
  • AWS_ENCRYPTED_CREDENTIALS_FILE

    • Path to GPG encrypted credentials file
    • Supports both plain .gpg and ascii-armored .asc files
    • Defaults to ~/.aws/credentials.gpg
  • AWS_CONFIG_FILE

    • See AWS Command Line Interface
    • Defaults to ~/.aws/config
    • Note: If you change this, you must define all profiles in the custom config file
  • AWS_DEFAULT_PROFILE

Notes

Creating Bash Shortcuts

Creating bash functions is helpful for quickly invoking different profiles:

$ vim ~/.bash_profile

# optional
export AWS_ENCRYPTED_CREDENTIALS_FILE="${HOME}/Dropbox/aws/credentials.gpg"
export AWS_CONFIG_FILE="${HOME}/Dropbox/aws/config"

function aws-leet {
  AWS_PROFILE=iam_leet \
  aws-profile-gpg \
  aws \
  $@
}

function aws-terraform {
  AWS_PROFILE=terraform \
  aws-profile-gpg \
  aws \
  $@
}

You can then run:

$ source ~/.bash_profile
$ aws-leet iam get-user
{
  "User": {
    "Path": "/",
    "UserName": "iam.leet",
    "UserId": "AID35DF67GHFEK3",
    "Arn": "arn:aws:iam::737415635305:user/iam.leet",
    "CreateDate": "1970-01-01T00:00:00Z",
    "PasswordLastUsed": "2000-01-01T00:00:01Z"
  }
}

Specifying Profiles in Config Files

The AWS_PROFILE you use must be defined in your AWS_CONFIG_FILE file, e.g.

$ cat ~/.aws/config

[profile default]
region=us-east-1

[profile iam_leet]
region=us-east-1

This applies to the default profile too.

If you try to use an undefined profile, you will see this error: Profile not found in config; profile=iam_leet

Related Links