aws-cli : Using 1Password to Store Credentials
Here's a quick recipe to avoid storing sensitive credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in plain text in a config file!
Instead of using a file such as ~/.aws/credentials, you can use the 1Password cli to dynamically load them from a vault.
~/.aws/config
[profile mirego]
region = us-east-1
credential_process = "/Users/jbg/.aws/mirego-creds.sh"
...~/.aws/mirego-creds.sh
#!/bin/bash
/Users/jbg/.aws/op-cred-helper.sh "mirego.1password.com" "VAULT_ID" "SECRET_ID"~/.aws/op-cred-helper.sh
#!/bin/bash
account="$1"
vault="$2"
secret_id="$3"
cat <<END | op inject --account ${account}
{
"Version": 1,
"AccessKeyId": "{{ op://${vault}/${secret_id}/aws_access_key_id }}",
"SecretAccessKey": "{{ op://${vault}/${secret_id}/aws_secret_access_key }}"
}
ENDTechnically, you don't need the mirego-creds.sh helper script, but it seems that Terraform will not always call the script with arguments properly.
In order to find your VAULT_IDs/SECRET_IDs, I suggest using the 1Password cli in order to find the correct secrets, such as op vault list and op item list.
Original credits to Rob Giseburt.