{"id":15694039,"url":"https://github.com/npalm/aws-auth","last_synced_at":"2025-05-08T05:58:39.634Z","repository":{"id":37856280,"uuid":"202738635","full_name":"npalm/aws-auth","owner":"npalm","description":"Shell functions to handle secrets stored in pass, LastPass or Keychain for AWS","archived":false,"fork":false,"pushed_at":"2022-09-13T14:53:01.000Z","size":25,"stargazers_count":8,"open_issues_count":0,"forks_count":6,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-08T05:58:34.360Z","etag":null,"topics":["aws","bash","hacktoberfest","keychain","lastpass","mfa","pass","secrets","shell","shell-script"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/npalm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-16T14:07:56.000Z","updated_at":"2024-09-03T07:28:00.000Z","dependencies_parsed_at":"2023-01-17T16:01:26.838Z","dependency_job_id":null,"html_url":"https://github.com/npalm/aws-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/npalm%2Faws-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/npalm%2Faws-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/npalm%2Faws-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/npalm%2Faws-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/npalm","download_url":"https://codeload.github.com/npalm/aws-auth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253009892,"owners_count":21839714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","bash","hacktoberfest","keychain","lastpass","mfa","pass","secrets","shell","shell-script"],"created_at":"2024-10-03T18:51:25.174Z","updated_at":"2025-05-08T05:58:39.618Z","avatar_url":"https://github.com/npalm.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS secrets management for command line\n\nA set of bash/zsh function to handle your AWS secrets stored in a password store, supported stores pass, LastPass, and OSX Keychain.\n\n## TL:DR\n\nAvoid storing secrets in a plain text file. Requires console password manager [pass](https://www.passwordstore.org/). OSX Keychain, or lastpass-cli\n\n```bash\nsource aws-auth-utils.sh\n## insert secrets\naws-auth-create-secret-access-keys home\n## aws login\naws-auth-login home\n```\n\n## Avoid AWS secrets in plain text\n\nThe bash script `aws-auth-utils.sh` contain several methods to use AWS cli without storing secrets in plain text in a credentials file. It required the command line password manager [pass](https://www.passwordstore.org/) or OSX Keychain. There is support for with and without the use of MFA.\n\nThe following function are available, all support the option `-help` to see some basic help information.\n\n- aws-auth-mfa-login - set shell environment for AWS using MFA.\n- aws-auth-login - set shell environment for AWS without using MFA.\n- aws-auth-activate-profile - activates a profile.\n- aws-auth-deactivate-profile - deactivate a profile.\n- aws-auth-clear - clear AWS related environment variables.\n- aws-auth-create-secrets - to insert access keys and mfa arn in the password store.\n- aws-auth-create-secret-access-keys - to insert access keys in the password store.\n- aws-auth-create-secret-mfa - to insert MFA arn in the password store.\n- aws-auth-mfa-devices-for-user - list mfa devices for a user.\n\nDue to [a bug](https://github.com/aws/aws-cli/issues/3875) in the AWS cli the `AWS_PROFILE` variable is not interpreted by the AWS cli. Therefor a `aws-activate-profile` function alias the aws command to append `--profile` for the activated profile.\n\n## Supported password stores\n\nThe default password store is `pass` a standard store for the unix command line. By setting the environment variable `AWS_AUTH_PASSWORD_STORE` you can switch to one of the supported password manager. The following are supported.\n\n- [pass](https://www.passwordstore.org/)\n- [LastPass](https://github.com/lastpass/lastpass-cli) - `AWS_AUTH_PASSWORD_STORE=LPASS`\n- OSX Keycahin - `AWS_AUTH_PASSWORD_STORE=OSX_KEYCHAIN`\n\nYou can insert secrets via the commands `aws-auth-create-secrets`, `aws-auth-create-secret-access-keys` and `aws-auth-create-secret-mfa`\n\nSecrets will be stores using an alias in the store.\n\n- pass: alias will be the `path` in pass.\n- LastPass: alias will be the `folder` in LastPass\n- OSX Keycahin: alias will be the `name` in Keychain\n\n## Usages\n\nSource the functions into your shell environment. The functions requires `jq` for parsing JSON objects. For storting password by default `pass` is used.\n\n```bash\nsource aws-auth-utils.sh\n```\n\nInsert secrets for your aws accountX into pass.\n\n```bash\naws-auth-create-secret-access-keys accountX\n```\n\nNext add the MFA device ARN to pass for the same account.\n\n```bash\naws-auth-create-secret-mfa accountX\n```\n\nNow you can simply obtain an AWS session token.\n\n```bash\naws-auth-mfa-login accountX 123456\n# verify you can access your account:\naws sts get-caller-identity\n```\n\nActivate profile (switch role) to access another account. Cross account access needs to be setup on AWS.\n\nA configuration like below is expected in your `~/.aws/config` file.\n\n```toml\n[profile accountY]\nrole_arn = arn:aws:iam::123456789:role/AllowAccessFromAccountX\ncredential_source = Environment\n```\n\nNow simply activate the profile to access accountY\n\n```bash\naws-auth-activate-profile accountY\n# verify you can access your account:\naws sts get-caller-identity\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnpalm%2Faws-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnpalm%2Faws-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnpalm%2Faws-auth/lists"}