AWS Pass tool

Posted on 2018-12-09 Updated on 2019-10-03

Keeping AWS passwords to different accounts secured. Introducing awspass tiny tool to manage the passwords. Well known tools, almost out of the box. No tricks, just bit of integration.

Why yet another solution

Let's say you need safe method to store credentials. That part is well-known, and there are many tools for it. Say - GPG - your credentials are encrypted with your public key. To decrypt private key is needed. But then management of files, mutli-access - goes quite problematic. Luckily, as usual, someone else had this issue before. Answer is pass!

What I like about pass is that stored information can be accessed by using many keys. So, team can have access to it. Rolling credentials, granting and revoking goes quite easy. Just shared directory, on github repo. All files are encrypted, so only private key allows access.

There is no dedicated tool to deal with AWS credentials with pass. Well, I'm not aware about any.

Setting up GPG

I've decided to start with GPG, to give you as much as possible in one place.

So first GPG is needed. If you need more information - how it works, or even what is it for - please visit this GPG tutorial

To start with GPG - it needs to be installed, under Debian/Ubuntu use:

sudo apt install gpg

Generating new key:

gpg2 --generate-key

Mentioned "GPG Tutorial" tells us to generate revocation key. That is good practice so - do that:

gpg2 --gen-revoke --armor --output=RevocationCertificate.asc your@email.address

To publish we need keyID:

gpg2 --list-keys your@email.address

And finally publish:

gpg2 --send-keys keyID

Setting up pass

Pass keeps all the secret data in encrypted files. By default that is ~/.password-store. No worries, there is no need to go over that data with ls/cat commands. You have pass for that.

But first things first. Install pass is first step - under Debian/Ubuntu call:

apt install pass

Having pass installed, storage needs to be prepared:

pass init

Full description of instalation, and other information can be found here. Useful commands are: | pass ls - to travese storage, | pass show - to show sehtmlcret, | pass insert - to add, update secret.

Secret here is text content that you don't want to enclose. AWS credentials are built, of two key-value pairs - access key, and secret/password. For pass it does not matter. Simply call:

pass insert -m aws/env_name

When you call it - you will be prompted for multiline secret - that -m brings that option. Press CTRL-D when done. For instance:

aws_access_key_id = AKIAJET90BZ9ZWB6ONDF
aws_secret_access_key = 794rFDBEqJzKR94berqhxmcMwpfnNWT1X18JwZ0w

And that is it. Put other environments, accounts if needed. When you are done - call:

$ pass ls aws

I've got:

├── prep
├── prod
├── qa
└── test

4 credentials, for 4 environments. Easy.

Using credentials is not much complicated. I could have script which calls pass aws/{env_name} > ~/.aws/credentials, or something similar, but what about rolling aws keys? I mean, generate new key/secret pairs, just for security. Say, I have that 4 environments and shoud do it every 2 weeks, or maybe every week? Maybe it is good idea to check if something is outdated, or not? And here, my tiny Python script -awspass comes into play.

Setting up awspass

There are some requirements:

sudo pip3 install boto3 passpy Click

Boto3 is needed, since it works with AWS, passpy is interface to pass, Click brings nice CLI interface.

The magic looks like this:

store = Store()
ENVS = ['test', 'qa', 'prod', 'prep']
# .
# .
# .
# .
def get_all():
    """get all the data"""
    res = {}
    for e in ENVS:
        access_context = store.get_key(f'aws/{e}')

Script is in my repo.

It uses ~/.aws/credentials to switch between environments. Also it puts environment name into ~/.aws/account so my PROMPT_COMMAND can print it out, and I can see where am I.

What else you can do?

Well, all credentials are encrypted, so you can store them in your git repo, and sync.

If talking about sync - use .gpg-id to list keys allowed to decrypt. If someone is no longer in the team, there is easy way to revoke access. More on that at man page. Things like passwords rotation are easier, since distribution goes smoothly - symlink between your project and subdirectory in ~/.password-store, and works. After rotation git pull and that's it.

There are plugins for browsers to store credentials in pass, so you can have one credentials no matter which browser is used.