This is an unofficial 1Password credentials helper for the AWS CLI.
This tool enables the aws
command to use AWS credentials from your 1Password vault.
That way, your AWS credentials stay encrypted at rest on your device, which is known to be a good security practice. You no longer have to keep your credentials in plain text in your ~/.aws/config
file.
The tool is neither affiliated with nor endorsed by 1Password or AWS. It’s also alpha-quality and largely untested. Use it at your own risk.
This tool requires Linux or macOS. You also need an active 1Password membership.
To install aws-credential-1password
manually:
-
Install the 1Password command-line tool.
-
Install jq.
-
Copy the
aws-credential-1password
executable into a directory that is in yourPATH
.
To install aws-credential-1password
via the AUR, use your favorite AUR helper to install the aws-credential-1password package.
For example, if you use aurutils, run aur sync aws-credential-1password
and then sudo pacman -Syu aws-credential-1password
.
To install aws-credential-1password
via Homebrew, run:
brew install claui/public/op-aws-credentials-client
If you put it in your ~/.aws/config
file, the aws
command will get secrets from your 1Password vault.
-
Open your terminal.
-
Confirm that your 1Password CLI is properly configured and signed into your 1Password vault. To do that, check the output of the following shell command:
$ op vault list
-
Next, open the 1Password app and create a login item with two fields named
Access Key ID
andSecret Access Key
. Fill in your AWS credentials into those fields. -
Open the 1Password preferences and go to the Advanced tab. Tick the checkbox(es) that enable UUID and JSON copying. The checkbox may be called Show debugging tools but the name can vary depending on which version of the 1Password app you have.
-
Obtain the UUID of your login item in 1Password. To do that, right-click on the login item and choose either UUID or JSON, depending on what the app offers you. If you choose JSON, paste the result to a text editor and locate the UUID manually. Copy the UUID to your clipboard.
-
Create a file
config
in your~/.aws
directory if it’s not already there. -
Edit your
~/.aws/config
as follows:[default] credential_process = /path/to/aws-credential-1password OP_VAULT OP_ITEM ACCESS_KEY_ID_FIELDNAME SECRET_ACCESS_KEY_FIELDNAME
-
In the config file, replace the fragment
/path/to/aws-credential-1password
with the actual path to youraws-credential-1password
script. -
Run
op vault list
to see the UUIDs of your vaults. In the config file, replace the fragmentOP_VAULT
with the UUID of your vault. -
In the config file, replace the fragment
OP_ITEM
with the UUID of your login item. -
In the 1Password app (or the exported JSON), look at the names of the 1Password fields that contain your AWS access key ID and your secret access key. In the config file, replace the fragments
ACCESS_KEY_ID_FIELDNAME
andSECRET_ACCESS_KEY_FIELDNAME
with those field names. -
To confirm that everything is working, run:
$ aws iam get-user
Sign into the 1Password CLI, then use the aws
command normally.
Copyright (c) 2021 The aws-credential-1password
authors
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.