jlo*_*ail 9 amazon-web-services aws-cli
使用 aws configure 时,凭证以明文形式存储在我的工作站上。这是一个巨大的安全违规行为。我尝试在 aws cli github 上打开一个问题,但它很快就被关闭了。我直接使用 Terraform 和 aws cli,因此需要解决方法来支持这一点。
例子:
[MyProfile]
aws_access_key_id = xxxxxxxxxxxxxxx
aws_secret_access_key = yyyyyyyyyyyyyyyyyy
region=us-east-2
output=json
Run Code Online (Sandbox Code Playgroud)
这是我能找到的最简单的解决方法。参考:
https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-source-external.html
以下 powershell 创建一个加密的保管库。
#This will destroy existing AWS vault
#The Vault will be set accessible to the current User with no password.
#When AWS CLI invokes this there is no way to request a password.
Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore
Set-SecretStoreConfiguration -Authentication None -Scope CurrentUser -Interaction None
Register-SecretVault -Name "AWS" -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber
Set-Secret -Vault "AWS" -Name "test" -Secret "test"
Get-SecretVault
Write-Host "Vault Created"
Run Code Online (Sandbox Code Playgroud)
这个 powershell 可以创建秘密。请注意,秘密可能会过期。
$profile = Read-Host -Prompt "Enter AWS Account Number"
$aws_access_key_id = Read-Host -Prompt "Enter AWS access key"
$aws_secret_access_key = Read-Host -Prompt "Enter AWS secret access key"
$secretIn = @{
Version=1;
AccessKeyId= $aws_access_key_id;
SecretAccessKey=$aws_secret_access_key;
SessionToken= $null; #"the AWS session token for temporary credentials";
#Expiration="ISO8601 timestamp when the credentials expire";
}
$secret = ConvertTo-Json -InputObject $secretIn
Set-Secret -Name $profile -Secret $secret
Run Code Online (Sandbox Code Playgroud)
这个名为credential_process.cmd的文件需要位于 terrform.exe 的路径上或旁边。
@echo off
REM This file needs to be accessible to the aws cli or programs using it.
REM To support other paths, copy it to C:\Program Files\Amazon\AWSCLIV2
Powershell.exe -Command "Get-Secret -Vault AWS -Name %1 -AsPlainText "
Run Code Online (Sandbox Code Playgroud)
最后在您的 {user}.aws\credentials 文件中放置以下条目:
[XXXXX-us-east-1]
credential_process = credential_process.cmd "XXXXX"
region=us-east-1
output=json
Run Code Online (Sandbox Code Playgroud)
现在您可以使用以下命令运行 aws cli 命令(或 Terraform):
aws ec2 describe-vpcs --profile XXXXX-us-east-1
Run Code Online (Sandbox Code Playgroud)
缺点:
与其他 AWS 服务一样:
可能性:
| 归档时间: |
|
| 查看次数: |
3900 次 |
| 最近记录: |