A repository of bitesize articles, tips & tricks
(in both English and French) curated by Mirego’s team.

We’re hiring!

aws-cli : Using 1Password to Store Credentials

Here's a quick recipe to avoid storing sensitive credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in plain text in a config file!

Instead of using a file such as ~/.aws/credentials, you can use the 1Password cli to dynamically load them from a vault.


[profile mirego]
region = us-east-1
credential_process = "/Users/jbg/.aws/mirego-creds.sh"




 /Users/jbg/.aws/op-cred-helper.sh "mirego.1password.com" "VAULT_ID" "SECRET_ID"




cat <<END | op inject --account ${account}
  "Version": 1,
  "AccessKeyId": "{{ op://${vault}/${secret_id}/aws_access_key_id }}",
  "SecretAccessKey": "{{ op://${vault}/${secret_id}/aws_secret_access_key }}"

Technically, you don't need the mirego-creds.sh helper script, but it seems that Terraform will not always call the script with arguments properly.

In order to find your VAULT_IDs/SECRET_IDs, I suggest using the 1Password cli in order to find the correct secrets, such as op vault list and op item list.

Original credits to Rob Giseburt.