What about ps?

Question

What about ps?

avioli opened this issue 9 years ago · 1 comments

When you run aws-keychain exec ... the command will be in ps, along with the token.

Why not simply put them in ~/.aws/credentials, where they should be.

Answer 1 · 2016-04-05T22:50:27.000Z

When you run aws-keychain exec ... the command will be in ps, along with the token.

Got an example of that happening? I think you'll find the environment passed to the command is not exposed to unprivileged users via ps.

Why not simply put them in ~/.aws/credentials, where they should be.

Because then the secrets are stored in plaintext while at rest on disk. Keeping them encrypted in Keychain adds layer of security, if not a perfect one. If that's not enough, see https://github.com/99designs/aws-vault for a more involved take on this, including generating time-limited session credentials.