Flexible Local AWS Credentials Management
The Amazon Web Services(AWS) command line tools require certain environmental variables to be set up, such as EC2_HOME for EC2 and AWS_ACCESS_KEY_ID and so on. Most people throw this in their bashrc file and call it good, but this quickly becomes inflexible if you have to manage more and more accounts.
For example, I happen to manage 4 separate AWS accounts (my personal account and 3 other projects).
This post outlines how I manage my credentials in a DRY (Don’t-Repeat-Yourself) and flexible way, such that I could easily add more credentials in the future if I needed to.
Directory Structure
I maintain a very specific directory structure for my AWS related files:
~/.aws
|- bashrc
|- credentials/
|-- setup/
|---- personal
|-- personal/
|- keys/
|-- personalkey.pem
|- ec2/
|- cloudformation/
|- ...
I’ll explain each below:
bashrc
This file is the main hook that my main bashrc (at $HOME/.bashrc) sources. It sets up the various enabled AWS modules and also defines the function for selecting AWS credentials.
The basic idea is to consolidate all the global and unchanging AWS related environmental variables into a single bash file, so that it is easy to add new services without cluttering my main bashrc.
You’ll see later that the changing environmental variables (those related to authorization) live in specific credentials files which are enabled using the aws_credentials function.
You can view this file in my dotfiles repo.
To enable it, add a line like this to your main bashrc:
test -f "$HOME/.aws/bashrc" && . "$HOME/.aws/bashrc"
credentials/
The credentials directory is in charge of holding all files related to site-specific credentials as well as the bash scripts to setup the environmental variables. There is always a setup/ folder within this directory which contains the bash scripts to toggle different site keys. For example, I may have a personal file in credentials/setup/personal which looks like the following:
As you can see, it simply sets the required AWS environmental variables. Easy! But how do you enable this? Use the aws_credentials function in your terminal, anywhere:
aws_credentials personal
This will find the credentials/setup/personal file and load it for your current shell.
Also important to note, I store all the required files such as the certificates for API calls in a special credentials/SITENAME directory (personal, in this case).
keys/
I store all my EC2 private keys in this directory for easy access with SSH. For example, my personal account has a mh_key.pem. To SSH into one of my instances, I just do the following:
ssh -i ~/.aws/keys/mh_key.pem ubuntu@my-ec2-ip.com
I’m still looking to improve this, but it works fine for me now.
ec2/, cloudformation/, etc.
I extract the command line tools for the various AWS services and place them directly in the .aws directory. I may pull these out further into a services directory or something in the future but for now it works fine. You can see how the various services are enabled in my AWS bashrc (linked to above). Each service has its own way of being enabled, so its easiest to just do it manually for each new service.
Conclusion
My method of credentials management isn’t yet perfect, but its much improved from when I started to a point where its very easy to add new services, add new credentials, change existing credentials, switch sites, etc. I plan on further improving this as time goes on, but hopefully this post is enough to get you started with managing your growing number of AWS credentials.
29 Notes/ Hide
-
quackeryspla liked this
-
beatremonstr liked this
-
tuckgrindsto liked this
-
lemongrasska liked this
-
gnocchiadmin liked this
-
alkaliwidow2 liked this
-
latexcutelesbian liked this
-
bdsmcuteuniforms liked this
-
conferaspire liked this
-
crahan liked this
-
mitchellhashimoto posted this
