Home > Net >  Is it possible to let IAM user to run aws-cli without permanent access key on my PC?
Is it possible to let IAM user to run aws-cli without permanent access key on my PC?

Time:01-18

I just want to run aws-cli or my application(using aws sdk) on my PC, not on aws services, under privileges of my IAM user. In this case, do I have to store permanent accesskey/secretkey associated my IAM user on my PC?

I want to use only temporary access key using assume_role, but I think I need a permanent access key to call assume_role in programatic access. Focusing on security, there seems no pros to go this way (unless forced MFA).
Am I correct? Did I miss something?

CodePudding user response:

If you do not want the PC to have permanent access, that means you want the user to provide some kind of secret to prove his identity and call assume_role, as and when he needs the access. There are few options I can think of.

MFA

As you rightly pointed out, in this case, the secret can be an MFA PIN, and you force MFA so that no actions are allowed unless user is authenticated with MFA. This way, even if you store the accesskey/secretkey, they mean nothing without the MFA.

Console

The other method of providing secret is, of course, going to console and entering your password. Then generate accesskey/secretkey from IAM, and do what you need to do. Then, revoke the keys once done.

Encryption

If on the other hand you don't mind having permanent access, you can just encrypt the accesskey/secretkey file. For example, zip your aws credentials file with password. Unlock it whenever you need, and delete it again when done.

Final Remarks

As there is no escaping the need to provide some form of secret, I think this step is unavoidable. And from the examples above, MFA sounds like the most convenient and secure method to me.

CodePudding user response:

Use AWS SSO to manage users. Then users could login to aws cli by typing 'aws sso login' which opens a web browser and starts auth flow. This method does not require that secrets are installed locally.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

CodePudding user response:

Have a look at AWS STS (Simple Token Service). https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html

This service creates temporary security credentials along with session token and once the session expires, these keys are useless. This is much better than hardcoding any keys anywhere.

Follow the documentation to use STS from CLI. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli

Page link:https//www.codepudding.com/net/267231.html

Prev:Injecting data to web application from AWS Lambda & CloudFront
Next:Serverless framework is ignoring CLI options
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding