This is an unofficial 1Password credentials helper for the AWS CLI.
This tool enables the aws command to use AWS credentials from your 1Password vault.
That way, your AWS credentials stay encrypted at rest on your device, which is known to be a good security practice. You no longer have to keep your credentials in plain text in your ~/.aws/config file.
The tool is neither affiliated with nor endorsed by 1Password or AWS. It’s also alpha-quality and largely untested. Use it at your own risk.
This tool requires Linux or macOS. You also need an active 1Password membership.
To install aws-credential-1password manually:
-
Install the 1Password command-line tool.
-
Install jq.
-
Copy the
aws-credential-1passwordexecutable into a directory that is in yourPATH.
To install aws-credential-1password via the AUR, use your favorite AUR helper to install the aws-credential-1password package.
For example, if you use aurutils, run aur sync aws-credential-1password and then sudo pacman -Syu aws-credential-1password.
To install aws-credential-1password via Homebrew, run:
brew install claui/public/aws-credential-1passwordIf you put it in your ~/.aws/config file, the aws command will get secrets from your 1Password vault.
-
Open your terminal.
-
Confirm that your 1Password CLI is properly configured and signed into your 1Password vault. To do that, check the output of the following shell command:
op vault list
-
Next, open the 1Password app and create a login item with two fields named
Access Key IDandSecret Access Key. Fill in your AWS credentials into those fields. -
Open the 1Password preferences and go to the Advanced tab. Tick the checkbox(es) that enable UUID and JSON copying. The checkbox may be called Show debugging tools but the name can vary depending on which version of the 1Password app you have.
-
Obtain the UUID of your login item in 1Password. To do that, right-click on the login item and choose either UUID or JSON, depending on what the app offers you. If you choose JSON, paste the result to a text editor and locate the UUID manually. Copy the UUID to your clipboard.
-
Create a file
configin your~/.awsdirectory if it’s not already there. -
Edit your
~/.aws/configas follows:[default] credential_process = /path/to/aws-credential-1password OP_VAULT OP_ITEM ACCESS_KEY_ID_FIELDNAME SECRET_ACCESS_KEY_FIELDNAME
-
In the config file, replace the fragment
/path/to/aws-credential-1passwordwith the actual path to youraws-credential-1passwordscript. -
Run
op vault listto see the UUIDs of your vaults. In the config file, replace the fragmentOP_VAULTwith the UUID of your vault. -
In the config file, replace the fragment
OP_ITEMwith the UUID of your login item. -
In the 1Password app (or the exported JSON), look at the names of the 1Password fields that contain your AWS access key ID and your secret access key. In the config file, replace the fragments
ACCESS_KEY_ID_FIELDNAMEandSECRET_ACCESS_KEY_FIELDNAMEwith those field names. -
To confirm that everything is working, run:
aws iam get-user
Sign into the 1Password CLI, then use the aws command normally.
Copyright (c) 2021 The aws-credential-1password authors
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.