shell-plugins icon indicating copy to clipboard operation
shell-plugins copied to clipboard
verified publisher icon 1Password

AWS Shell Plugin - Credential Process Authentication

Open AndyTitu opened this issue 2 years ago • 8 comments

Platform or tool

AWS

Desired or expected behavior

AWS Shell plugin gets provisioned with secrets via a credential process.

Further details should be filled in when picking up this issue.

Current behavior

AWS shell plugin currently supports authentication via long lived access key pairs and via Sts temporary credentials for the Assume Role and MFA workflows.

Relevant log output

No response

op CLI version

No response

AndyTitu avatar Mar 20 '23 10:03 AndyTitu

See https://github.com/claui/aws-credential-1password for possible inspiration / an existing workaround

ianwestcott avatar Jul 28 '23 20:07 ianwestcott

With some small tweaks/hacks, I'm able to use the AWS shell plugin as a credential process for the AWS SDK.

It replaces the "aws-vault as a 'master credentials vault' for the AWS SDK" use case for me.

  1. I created a local build where the credential_process check is disabled:

https://github.com/1Password/shell-plugins/blob/331a88565641fc8ecdad76814908bfd867816261/plugins/aws/sts_provisioner.go#L112-L114

  1. My ~/.aws/config looks like this:
[default]
credential_process=op plugin run -- aws --profile=default exec -- jq --null-input "env | { Version: 1, AccessKeyId: .AWS_ACCESS_KEY_ID, SecretAccessKey: .AWS_SECRET_ACCESS_KEY, SessionToken: .AWS_SESSION_TOKEN, }"

[profile a]
source_profile=default
role_arn=...

[profile b]
source_profile=default
role_arn=...

[profile c]
source_profile=default
role_arn=...
  1. My ~/.aws/cli/alias (reference) looks like this:
[toplevel]
exec = ! $@
  1. And I do not have aws aliased:
$ type aws
aws is /opt/homebrew/bin/aws

If 1Password team were to remove the credential_process check, the local build in step 1 would be unnecessary.

charlesbjohnson avatar Sep 25 '23 23:09 charlesbjohnson

If a Terraform plugin won't be provided, I'm in favor of removing the credential_process check (maybe adding a warning once it's found and skipped by the parser). This is a relatively simple change that would benefit both the AWS Shell Plugin and standalone Terraform users.

guidoiaquinti avatar Oct 17 '23 14:10 guidoiaquinti

Here is an alternative credential_process that I currently use to integrate 1Password into awscli (instead of the 1Password AWS Shell Plugin):

[default]
credential_process = sh -c "op --account=blah.1password.com --vault=Private item get --format=json --fields=label=AccessKeyId,label=SecretAccessKey AWS | jq 'map({key: .label, value: .value}) | from_entries + {Version: 1}'"

IIUC it basically does what @ianwestcott suggested here but without the extra dependency.

elliotdobson avatar Nov 13 '23 00:11 elliotdobson

Any updates on this?

austinmw avatar Mar 25 '24 14:03 austinmw

Would be highly appreciate to have some progress here, as AWS Copilot CLI doesn't play nice with 1password at the moment:

❯ copilot env ls
✘ get application test: IncompleteSignatureException: Credential must have exactly 5 slash-delimited elements, e.g. keyid/date/region/service/term, got 'op://Test/redacted/username/20250429/eu-central-1/ssm/aws4_request'

thomaswitt avatar Apr 29 '25 10:04 thomaswitt

I'm currently using the AWS CLI with a properly configured credential_process entry in my ~/.aws/config profile. This setup is necessary for tools like git-remote-s3, which do not invoke the AWS CLI but instead rely on boto3 that read credentials directly from configuration files or environment variables.

When I run commands like aws s3 ls with AWS_PROFILE pointing to a profile that uses credential_process, everything works as expected - until the 1Password shell plugin intercepts the call. At that point, the following error appears:

[ERROR] 2025/05/02 01:16:46 could not run plugin AWS CLI: failed to provision credentials, encountered error(s):
Credential Process Authentication is not yet supported by the AWS Shell Plugin.
If you would like for this feature to be supported, upvote or take on its issue: https://github.com/1Password/shell-plugins/issues/213

While I understand that credential_process is not yet supported by the shell plugin, it shouldn't interfere with valid AWS configurations that are already working.

Please consider one of the following improvements:

  • Allow users to suppress this error (e.g. via a config flag or env variable)
  • Allow credential_process profiles to pass through untouched if unsupported
  • Gracefully fall back to native AWS behavior when the plugin cannot handle a profile

The only current workaround is to bypass the shell plugin entirely and call the real AWS CLI binary directly, which is tedious and undermines the convenience the shell plugin is meant to provide.

P.S. Many thanks to @elliotdobson for the workaround!!!

phyxolog avatar May 01 '25 22:05 phyxolog

The only current workaround is to bypass the shell plugin entirely and call the real AWS CLI binary directly, which is tedious and undermines the convenience the shell plugin is meant to provide.

Agreed, I have to do unalias aws every time. This is very inconvenient and doesn't help the case of using 1PW CLI.

thomaswitt avatar May 02 '25 08:05 thomaswitt