undefined | Better HN

0 pointstimwis14d ago0 comments

That looks interesting, but unless I'm missing it, it still leaves you with things like ~/.aws/credentials in plaintext on disk, doesn't it?

0 comments

pprotas14d ago

Yes, although there are ways around it.

The other commenter mentioned a possible workaround, but you can also authenticate with AWS through env variables. You could store these in sops and have an alias or task that routes your aws commands through sops:

  sops exec-env secrets.enc.yaml 'aws something something' # sops injects decrypted credentials into env vars at runtime

Hackbraten14d ago

AWS allows you to set `credential_process` and have it point to a script that fetches your credential from wherever you like and print it to stdout.

j / k navigate · click thread line to collapse

0 comments

pprotas14d ago

Yes, although there are ways around it.

  sops exec-env secrets.enc.yaml 'aws something something' # sops injects decrypted credentials into env vars at runtime

Hackbraten14d ago

AWS allows you to set `credential_process` and have it point to a script that fetches your credential from wherever you like and print it to stdout.

j / k navigate · click thread line to collapse