{ "info": { "author": "jeff oconnell", "author_email": "jeff.oconnell@firstlook.media", "bugtrack_url": null, "classifiers": [ "Environment :: Console", "Intended Audience :: Developers", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Topic :: Security :: Cryptography", "Topic :: System :: Systems Administration" ], "description": "\n# aws-profile-gpg\n\nA script for calling the [aws-cli](https://github.com/aws/aws-cli) using [IAM Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) from a [GPG](https://www.gnupg.org/) encrypted credentials file.\n\nThe script is inspired by the various [aws-profile](https://github.com/search?q=aws-profile) wrappers found on GitHub, plus a desire to keep credentials encrypted at rest.\n\n## Benefits\n\n1\\. Your secret access keys are encrypted at rest on disk so if someone gains access to your machine, they still won't have access to your AWS credentials\n\n2\\. You can safely store your encrypted credentials in Dropbox or on a server so you can access the same config and credentials files from multiple machines\n\n3\\. Since the script works by decrypting the credentials file and adding `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` to the processes environment, you can use it with other apps the use these environment variables, e.g. [Terraform](https://www.terraform.io/docs/providers/aws/)\n\n4\\. If you use an [OpenGPG card](https://en.wikipedia.org/wiki/OpenPGP_card) such as a [Yubikey](https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/) as a private key, it will effectively act as a hardware MFA device for your access keys\n\n_Details and use cases are outlined in __Usage__ below._\n\n## Prerequisites\n\nThis guide assumes you are familiar GPG and are able to encrypt your credentials file. If you are not familiar with GPG, there are a number of [good tutorials online](https://duckduckgo.com/?q=gpg+tutorial).\n\n## Install\n\n#### Using Homebrew\n\n```\nbrew bundle\n```\n\nor\n\n```\nbrew tap firstlookmedia/firstlookmedia\nbrew install aws-profile-gpg\n```\n\n#### Using PyPI\n\n```\npip install aws-profile-gpg\n```\n\n## Usage\n\n__Basic usage__\n\n```\nusage: aws-profile-gpg [-h] [-v] command [command ...]\n\npositional arguments:\n command command passed to aws cli\n\noptional arguments:\n -h, --help show this help message and exit\n -v, --verbose verbose output\n```\n\n__Using the default configuration__\n\n```\naws-profile-gpg aws s3 ls\n```\n\n__Specifying an aws profile__\n\n```\nAWS_PROFILE=iam_leet \\\n aws-profile-gpg aws s3 ls\n```\n\n__Specifying an alternative credentials file__\n\n```\nAWS_ENCRYPTED_CREDENTIALS_FILE=/path/to/shared/aws/credentials.asc \\\n aws-profile-gpg aws s3 ls\n```\n\n__Specifying an alternative config file__\n\n```\nAWS_CONFIG_FILE=/path/to/shared/aws/config \\\n aws-profile-gpg aws s3 ls\n```\n\n__Storing config and credentials files in Dropbox__\n\n```\nAWS_CONFIG_FILE=${HOME}/Dropbox/etc/aws/config \\\n AWS_ENCRYPTED_CREDENTIALS_FILE=${HOME}/Dropbox/aws/credentials.gpg \\\n aws-profile-gpg aws s3 ls\n```\n\n__Using with terraform__\n\n```\nAWS_PROFILE=terraform \\\n aws-profile-gpg terraform -plan\n```\n\n## Environmental Variables\n\n* AWS_PROFILE_GPG_HOME\n * Path to `aws-profile-gpg` directory; Used to locate virtualenv and python script\n * Defaults to `/usr/local/opt/aws-profile-gpg`\n\n* AWS_ENCRYPTED_CREDENTIALS_FILE\n * Path to GPG encrypted credentials file\n * Supports both plain `.gpg` and ascii-armored `.asc` files\n * Defaults to `~/.aws/credentials.gpg`\n\n* AWS_CONFIG_FILE\n * See [AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-environment)\n * Defaults to `~/.aws/config`\n * _Note:_ If you change this, you must define all profiles in the custom config file\n\n* AWS_DEFAULT_PROFILE\n * See [AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-environment)\n * Defaults to `default`\n\n\n## Notes\n\n#### Creating Bash Shortcuts\n\nCreating bash functions is helpful for quickly invoking different profiles:\n\n```\n$ vim ~/.bash_profile\n\n# optional\nexport AWS_ENCRYPTED_CREDENTIALS_FILE=\"${HOME}/Dropbox/aws/credentials.gpg\"\nexport AWS_CONFIG_FILE=\"${HOME}/Dropbox/aws/config\"\n\nfunction aws-leet {\n AWS_PROFILE=iam_leet \\\n aws-profile-gpg \\\n aws \\\n $@\n}\n\nfunction aws-terraform {\n AWS_PROFILE=terraform \\\n aws-profile-gpg \\\n aws \\\n $@\n}\n\n```\n\nYou can then run:\n\n```\n$ source ~/.bash_profile\n```\n\n```\n$ aws-leet iam get-user\n{\n \"User\": {\n \"Path\": \"/\",\n \"UserName\": \"iam.leet\",\n \"UserId\": \"AID35DF67GHFEK3\",\n \"Arn\": \"arn:aws:iam::737415635305:user/iam.leet\",\n \"CreateDate\": \"1970-01-01T00:00:00Z\",\n \"PasswordLastUsed\": \"2000-01-01T00:00:01Z\"\n }\n}\n```\n\n\n#### Specifying Profiles in Config Files\n\nThe `AWS_PROFILE` you use must be defined in your `AWS_CONFIG_FILE` file, e.g.\n\n```\n$ cat ~/.aws/config\n\n[profile default]\nregion=us-east-1\n\n[profile iam_leet]\nregion=us-east-1\n```\n\nThis applies to the `default` profile too.\n\nIf you try to use an undefined profile, you will see this error:\n`Profile not found in config; profile=iam_leet`\n\n\n## Related Links\n\n* Various version of `aws-profile` on GitHub\n * [https://github.com/search?q=aws-profile](https://github.com/search?q=aws-profile)\n\n* GNU Privacy Guard (GPG)\n * [https://www.gnupg.org](https://www.gnupg.org)\n\n* PyGPGME\n * [https://launchpad.net/pygpgme](https://launchpad.net/pygpgme)\n * [https://pygpgme.readthedocs.io/en/latest/](https://pygpgme.readthedocs.io/en/latest/)\n\n* Botocore\n * [https://github.com/boto/botocore](https://github.com/boto/botocore)\n\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/firstlookmedia/aws-profile-gpg", "keywords": "", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "aws-profile-gpg", "package_url": "https://pypi.org/project/aws-profile-gpg/", "platform": "", "project_url": "https://pypi.org/project/aws-profile-gpg/", "project_urls": { "Homepage": "https://github.com/firstlookmedia/aws-profile-gpg" }, "release_url": "https://pypi.org/project/aws-profile-gpg/0.0.2/", "requires_dist": [ "botocore (<2,>=1.12)", "PyGPGME (<1,>=0.3)" ], "requires_python": ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, <4", "summary": "call aws-cli using access keys from an encrypted credentials file", "version": "0.0.2" }, "last_serial": 4745413, "releases": { "0.0.2": [ { "comment_text": "", "digests": { "md5": "7b2fd6dd0ce780af5e278f80dab86a3d", "sha256": "547a6ae6d51852e18f12c2786ff49b75fd7e0d81a9d7582c31b0fc933e8c56ce" }, "downloads": -1, "filename": "aws_profile_gpg-0.0.2-py3-none-any.whl", "has_sig": false, "md5_digest": "7b2fd6dd0ce780af5e278f80dab86a3d", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, <4", "size": 6053, "upload_time": "2019-01-27T07:10:06", "url": "https://files.pythonhosted.org/packages/bf/36/04145b700b90e9347b40f68f179cb1a9b2009e3aacf56f00b2113bfd7d0d/aws_profile_gpg-0.0.2-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "efdfe2219771b44e4109b314811f8397", "sha256": "1225e84a3713d91ede37b9e50eb92bd1b595023efae5ea36572da66fa715ede4" }, "downloads": -1, "filename": "aws-profile-gpg-0.0.2.tar.gz", "has_sig": false, "md5_digest": "efdfe2219771b44e4109b314811f8397", "packagetype": "sdist", "python_version": "source", "requires_python": ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, <4", "size": 5301, "upload_time": "2019-01-27T07:10:08", "url": "https://files.pythonhosted.org/packages/58/79/837420de8049857e4ed4bce53cf6428d438286e954f93aecfe0dfd9fb8a0/aws-profile-gpg-0.0.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "7b2fd6dd0ce780af5e278f80dab86a3d", "sha256": "547a6ae6d51852e18f12c2786ff49b75fd7e0d81a9d7582c31b0fc933e8c56ce" }, "downloads": -1, "filename": "aws_profile_gpg-0.0.2-py3-none-any.whl", "has_sig": false, "md5_digest": "7b2fd6dd0ce780af5e278f80dab86a3d", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, <4", "size": 6053, "upload_time": "2019-01-27T07:10:06", "url": "https://files.pythonhosted.org/packages/bf/36/04145b700b90e9347b40f68f179cb1a9b2009e3aacf56f00b2113bfd7d0d/aws_profile_gpg-0.0.2-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "efdfe2219771b44e4109b314811f8397", "sha256": "1225e84a3713d91ede37b9e50eb92bd1b595023efae5ea36572da66fa715ede4" }, "downloads": -1, "filename": "aws-profile-gpg-0.0.2.tar.gz", "has_sig": false, "md5_digest": "efdfe2219771b44e4109b314811f8397", "packagetype": "sdist", "python_version": "source", "requires_python": ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, <4", "size": 5301, "upload_time": "2019-01-27T07:10:08", "url": "https://files.pythonhosted.org/packages/58/79/837420de8049857e4ed4bce53cf6428d438286e954f93aecfe0dfd9fb8a0/aws-profile-gpg-0.0.2.tar.gz" } ] }