AWS CLI encrypt secret key

Question

Is there a feature in AWS CLI that would allow me to specify my secret access key in an encrypted format?

For example, a Travis CI script can contain an encrypted version of an S3 key: https://docs.travis-ci.com/user/deployment/s3

I don't like the idea of leaving AWS keys in an easily readable credentials file.

Answer 1

We can encrypt the secret keys using aws-cli using AWS Key Management Service (KMS).

See Windows encryption commands below:

aws kms create-key --description "Description For the key"

Output:

$ aws kms create-key --description "Description For the key"
{
    "KeyMetadata": {
        "AWSAccountId": "361925972328",
        **"KeyId": "XXXX-XXXX-XXXX-XXXX",**
        "Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
        "CreationDate": 1575535349.191,
        "Enabled": true,
        "Description": "Description For the key",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ]
    }
}

This will create the key.

Encryption command:

aws kms encrypt --key-id XXXX-XXXX-XXXX-XXXX --plaintext new.txt --output text --query CiphertextBlob > secrets.base64.json

certutil -decode .\secrets.base64.json secrets.encrypted.json

Output:

Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.

Answer 2

Process for Decryption using aws-CLI KMS

Command:

aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64

Will give this error:

An error occurred (InvalidCiphertextException) when calling the Decrypt operation mention fileb:// type means binary file

Command:

aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64

It will convert into base64

Command:

certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json

Output:

Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.

Answer 3

No there is not. Any encryption of the access keys and/or secret keys must be done by the software using them.

However, a recommended alternative to using access keys and secrets is to use IAM roles.

If your Travis CI is hosted by a third-party, then you should use IAM Third-party roles with that third-party instead of access keys. This way, that third-party can retrieve time-limited credentials for your AWS account.

If you are hosting the Travis CI on your own EC2 instance, then you can assign your EC2 instance to an EC2 Instance Profile (IAM Role) when it's launched. This way, all permissions are given to the instance without needing to store credentials anywhere on the instance.

The AWS CLI supports this. Simply don't assign any credentials anywhere (command line, file or configuration), and it'll attempt to read the credentials from the instance profile.