{"id":20398492,"url":"https://github.com/keeper-security/aws-credential-process","last_synced_at":"2025-04-12T13:13:56.974Z","repository":{"id":203141716,"uuid":"708906744","full_name":"Keeper-Security/aws-credential-process","owner":"Keeper-Security","description":"AWS CLI credential process integration using Keeper Secrets Manager","archived":false,"fork":false,"pushed_at":"2025-03-24T09:47:17.000Z","size":86,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-12T13:13:50.277Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keeper-Security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-23T16:12:02.000Z","updated_at":"2024-10-02T21:09:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"fae01c4b-9108-4c59-b4b3-14b801e432d2","html_url":"https://github.com/Keeper-Security/aws-credential-process","commit_stats":null,"previous_names":["keeper-security/aws-credential-process"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Faws-credential-process","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Faws-credential-process/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Faws-credential-process/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keeper-Security%2Faws-credential-process/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keeper-Security","download_url":"https://codeload.github.com/Keeper-Security/aws-credential-process/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248571850,"owners_count":21126522,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T04:22:18.389Z","updated_at":"2025-04-12T13:13:56.949Z","avatar_url":"https://github.com/Keeper-Security.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![GitHub](https://img.shields.io/github/license/Keeper-Security/aws-credential-process)\n![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/Keeper-Security/aws-credential-process/test.yml)\n![GitHub release (with filter)](https://img.shields.io/github/v/release/Keeper-Security/aws-credential-process)\n\n# Keeper AWS CLI Credential Process\n\nBy default, the AWS CLI uses credentials stored in plaintext in `~/.aws/credentials`. With this credential process, you can now use the Keeper Vault to store your AWS credentials, removing the need to have them on disk on the endpoint.\n\nInstead, AWS will use this executable to fetch your AWS credential from your Vault securely using the Keeper Secrets Manager(KSM).\n\n## Requirements\n\nUsage requires:\n\n- AWS credentials (see [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-services-iam-create-creds.html) on how to generate Access Keys)\n- Keeper Secrets Manager (KSM) enabled\n- AWS CLI v2\n\nDevelopment requires the above plus:\n\n- Go \u003e v1.21\n\n## Setup\n\n### Vault\n\nThe first step in the setup of the integration is to add you AWS `Access Key ID` and your `Secret Access Key` to a record in your Vault. There is no built in record type for this kind of secret; however, we can [create a custom record](https://docs.keeper.io/user-guides/record-types#custom-record-types) for this purpose alone. \n\nWhat you name this custom record type is up to you. However, this credential process looks for fields named `Access Key ID` and `Secret Access Key`, specifically. These fields must be present for successful authentication.\n\n\u003e Note: Field names are case sensitive. \n\n![Custom Record of Access Key](assets/custom-record.png)\n\nOnce you have created your custom field, you can now use it to create a record for your AWS Access Key. This record should be stored in a shared folder that your KSM application has permission to access.\n\nOnce safely stored, you are now able to delete the Access Key from your AWS credential file.\n\n### KSM\n\nThe integration expects a KSM Application Configuration file at either `.config/keeper/aws-credential-process.json` or `aws-credential-process.json` relative to the user's home directory. It must have access to a Shared Folder that contains the AWS Access key required. For help in obtaining a KSM configuration in JSON format, [follow these instructions](https://docs.keeper.io/secrets-manager/secrets-manager/about/secrets-manager-configuration#creating-a-secrets-manager-configuration).\n\n\u003e For help setting up the KSM and creating an application, head to the [official docs](https://docs.keeper.io/secrets-manager/secrets-manager/quick-start-guide).\n\n### AWS Config\n\nIn your AWS config, which is usually located at `~/.aws/config`, add the following line to any profile you are using via the CLI. \n\n```ini\n# Add the UID for your AWS Access Key\ncredential_process = /path/to/keeper-aws-credential-process --uid \u003cRecord UID\u003e\n```\n\n## Usage \n\nOnce configured as above, the AWS CLI will now automatically fetch your authentcation credential from the Keeper Vault. You can test that it works by using any CLI command in which you have an appropriate IAM role for; such as:\n\n```shell\n# List all s3 buckets\naws s3 ls\n```\n\nIf the command completes without error, congratulations, you are now fully set up.\n\n## Contributing\n\nPlease read and refer to the [contribution guide](https://github.com/Keeper-Security/aws-credential-process/blob/main/CONTRIBUTING.md) before making your first PR.\n\nThis module uses the built-in Golang tooling for building and testing:\n\n```shell\n# Run unit tests\ngo test ./...\n\n# Build a local binary\ngo build -o keeper-aws-credential-process ./cmd/aws-credential-process/main.go\n```\n\nFor bugs, changes, etc., please [submit an issue](https://github.com/Keeper-Security/aws-credential-process/issues).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeeper-security%2Faws-credential-process","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeeper-security%2Faws-credential-process","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeeper-security%2Faws-credential-process/lists"}