#aws

Using AWS credential_process and 1Password

18 Feb 2025 in TIL

A while back I read an excellent post from Paul Galow on securing AWS credentials with LastPass. I wanted exactly this, but with 1Password instead. Here's how to do it.

Configure 1Password

If you don’t already have op installed, you’ll need to install the op CLI from the 1Password website.

Once that’s done, create a new vault for storing secrets that are accessible from the CLI:

bash
op vault create CLI

Then create a new item in that vault, making sure to replace XXX with your actual access key and secret:

bash
 op item create --category Password --vault CLI --title AWSCredentials ACCESS_KEY=XXX SECRET_KEY=XXX

The above command is prefixed with a space so that it is not written to your shell history if HIST_IGNORE_SPACE is enabled

Create the credential_process

The AWS CLI has the ability to read credentials from a process rather than a static configuration file. It expects that the credential process will return a JSON document containing AccessKeyid and SecretAccessKey.

Copy and paste the following in to a terminal to create the credentials script:

bash
export AWS_HELPER="$HOME/bin/aws-1password"
mkdir -p $HOME/bin
echo '#!/usr/bin/env bash
readonly opVault="CLI"
readonly opEntry="AWSCredentials"
readonly accessKeyId=$(op read "op://$opVault/$opEntry/ACCESS_KEY")
readonly secretAccessKey=$(op read "op://$opVault/$opEntry/SECRET_KEY")
# Create JSON object that AWS CLI expects
jq -n \
    --arg accessKeyId "$accessKeyId" \
    --arg secretAccessKey "$secretAccessKey" \
    ".Version = 1
    | .AccessKeyId = \$accessKeyId
    | .SecretAccessKey = \$secretAccessKey"' > $AWS_HELPER;
chmod +x $AWS_HELPER

Configure AWS

The final thing to do is to create an AWS config file that uses that script to fetch authentication credentials:

bash
mkdir -p $HOME/.aws
echo "[default]
credential_process = $AWS_HELPER" > $HOME/.aws/config

To check if it worked, run aws configure list. You should be prompted for your 1Password credentials to unlock the vault.

bash
$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key      ****************XYZ   custom-process
secret_key      ****************XYZ   custom-process
    region                <not set>             None    None