If you are an avid Amazon AWS user, you may have noticed that the AWS CLI command line tools nowadays support sourcing credentials from external processes. This feature can be combined with 1Password's command line tool, which allows you to query 1Password items using the op shell command.

By moving the AWS credentials to 1Password, you will be able to delete your ~/.aws/credentials file, which is otherwise an attractive target for malware and other hacking attempts (but check the caveats section below before you do that).

Installation

First, install all the required software.

  • Install the AWS CLI if you haven't already.
  • Install the 1Password CLI tool.
  • Install the jq tool, for instance using brew install jq on macOS.

Credential setup

Then, move your credentials from the local AWS credentials file to 1Password.

  • Create a 1Password item to hold your AWS credentials. Use two custom fields to store the Access Key Id and Secret Access Key. In this example, the fields are named aws_access_key_id and aws_secret_access_key.
  • Follow the 1Password instructions on how to perform the first sign-in using the op signin command, and how to sign in more easily after that (omitting the secret key).
  • If you want to, remove the old credentials from ~/.aws/credentials.

Configuration

Next, add an entry that looks like this in your local ~/.aws/config file:

[profile my-account]
credential_process = sh -c "op get item 'Name Of Item' | jq '.details.sections[0].fields | map({(.t):.}) | add | {Version:1, AccessKeyId:.aws_access_key_id.v, SecretAccessKey:.aws_secret_access_key.v}'"

Make sure that Name Of Item matches the name you entered for the 1Password item, and that aws_access_key_id and aws_secret_access_key match the custom field names you used to store your Access Key Id and Secret Access Key. The above script assumes that they are in the first section. If you put them in a separate section, you may need to change the sections[0] clause to match it.

If you are on a platform that doesn't support the sh shell, you may neet to figure out how to perform a similar piping operation. Alternatively you could also create a separate script file somewhere, and move the complex script command line from ~/.aws/config to there.

Testing

Once the entry in ~/.aws/config is in place, you should be able to test the integration using AWS CLI:

aws --profile my-account iam get-user

If you see a valid-looking User JSON response that includes your AWS IAM UserId, UserName and Arn, congratulations, it's working properly. If you see an error, you may need to refresh your sign-in session first (op signin) and try again.

Caveats

When you remove your credentials from ~/.aws/credentials and use the credential_process option instead, some third party tools that use AWS SDK may stop working. For instance, I have created an issue about this in the Serverless Framework project. It's not quite clear whether Amazon plans to support this automatically in all AWS SDK based apps, or whether it's intended to be an AWS CLI only feature.