aws-cli
aws-cli copied to clipboard
aws
Allow for storing secret_key values in system keychain
Boto supports the ability to store your secret_key using the system keychain/keyring service.
For example, your ~/.boto file may contain the following
[Credentials]
aws_access_key_id=<my-access-key-id>
keyring=aws
This makes it possible to keep at least your secret key encrypted.
I just started going through the code for this, and it looks like that isn't an option with the aws-cli configuration commands at this point.
This has already been filed by @garnaat as an enhancement for the underlying botocore library (see https://github.com/boto/botocore/issues/59), and @teoruiz has submitted a resp. pull request (see https://github.com/boto/botocore/pull/72) - I guess when the latter is integrated one way or another (might need minor work), support within the aws-cli will be implied (or trivial to add at least).
I do think this would be a good addition. We did this already for boto itself so implementing it for botocore and AWS CLI makes sense. It's unfortunate that it brings another dependency.
On Thu, Dec 12, 2013 at 3:39 PM, Steffen Opel [email protected]:
This has already been filed by @garnaat https://github.com/garnaat as an enhancement for the underlying botocore library (see boto/botocore#59https://github.com/boto/botocore/issues/59), and @teoruiz https://github.com/teoruiz has submitted a resp. pull request (see boto/botocore#72 https://github.com/boto/botocore/pull/72)
- I guess when the latter is integrated one way or another (might need minor work), support within the aws-cli will be implied (or trivial to add at least).
— Reply to this email directly or view it on GitHubhttps://github.com/aws/aws-cli/issues/547#issuecomment-30473497 .
I believe the keyring dependency is transparently handled as optional in boto, and could similarly be optional in botocore, see https://github.com/boto/botocore/pull/72#issuecomment-30154277 for details/references.
@garnaat do you think this PR could be merged? Would you like me to add anything else?
Cheers!
Is there a way to help get this issue closed? I'd love to help make it happen if there's a way.
Surfacing this once again.
Since boto3 does not seem to support keyring or other system keychains, would the maintainers consider accepting PRs that would handle this within awscli?
Good Morning!
We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.
This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.
As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.
We’ve imported existing feature requests from GitHub - Search for this issue there!
And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.
GitHub will remain the channel for reporting bugs.
Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface
-The AWS SDKs & Tools Team
Based on community feedback, we have decided to return feature requests to GitHub issues.
There's a PR that has implemented this for years: https://github.com/boto/botocore/pull/1262
However, it seems that there maintainers for botocore have vanished (PR is a few years old already)?
Dredging this old feature request back up to call out that a lot of enterprise customers have been asking for this. And leveraging OS credential systems would have prevented the flaw described in the article :) https://www.infosecurity-magazine.com/news/leakycli-exposes-aws-google-cloud/
