AWS API Keys in OSX Keychain

AWS API Keys are powerful things that you don’t want to leave lying around. Amazon’s suggestion is to keep them in ~/.aws/config. I’m not a fan of that. OSX has KeyChain, which is a secure repository for credentials and what most OSX Apps use for caching your login to various websites. This might not be the ideal solution, but it’s better than an unencrypted file in your home directory.

I’ve built a set of three scripts that will use OSX Keychain to store your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and retrieve them into environment variables when needed to use the AWS API or any script that honors those environment variables.

aws_account.sh should be added to your .profile. It gives you two new bash functions. aws_account will fetch the API credentials from keychain and put them into the environment. ch_region sets the AWS_DEFAULT_REGION environment variable. Both update your bash prompt to let you know which account and which region your commands will be executed against.

Patton:~ chris$ aws_account pht chris us-west-2
Using pht as my AWS Account
No EC2 Instances running
[chris@Patton bin] chris@pht (us-west-2):

add_aws_cred.sh will take the credentials.csv file you download from the AWS console and import it into KeyChain.

rotate_api_keys.sh will do just that. It will create a new key, load that into your keychain, then deactivate your current API key. AWS has a default limit of two keys per user so if there is an inactive key it will delete it, or if there is just one key it can create the new one. If there are two active keys, it will prompt you to delete or deactivate one first.

The scripts are past of the aws_script package I’m building at available on github here: https://github.com/jchrisfarris/aws_scripts