Setting AWS access key as environment variable
502 views
Skip to first unread message
Teddy Thomas
Mar 31, 2016, 5:32:26 PM3/31/16
to Vault, Juyuan Cai, Dan Kamalic
We're using the AWS backend to generate IAM access keys dynamicallly. We'd like for our users to be able to have these set in an environment variable for their shell, such that programs like the AWS Command Line tools can just read the key from the variable, and the key is not stored in a flat file.
At first, we thought to set the variable like this:
export AWS_ACCESS_KEY_ID=`vault read -field=access_key aws/creds/s3-abc
export AWS_SECRET_KEY_ID=`vault read -field=secret_key aws/creds/s3-abc
This presents a problem that calling the secret again generates a new access key and invalidates the old one. Has anyone had experience with doing something like this? What is the best way to set these values into environment variables?
At first, we thought to set the variable like this:
export AWS_ACCESS_KEY_ID=`vault read -field=access_key aws/creds/s3-abc
export AWS_SECRET_KEY_ID=`vault read -field=secret_key aws/creds/s3-abc
This presents a problem that calling the secret again generates a new access key and invalidates the old one. Has anyone had experience with doing something like this? What is the best way to set these values into environment variables?
Hridyesh Pant
Mar 31, 2016, 8:14:19 PM3/31/16
to Vault, jc...@gnshealthcare.com, dkam...@gnshealthcare.com
I am not sure what process you are going to use it.
we are going to use like each time when application need AWS resource ,it will call new AWS dynamic credential each time and once application finished job ,revoke them.
--Thanks
Hridyesh
Jeff Mitchell
Apr 1, 2016, 10:29:59 AM4/1/16
to vault...@googlegroups.com
Hi Teddy,
You can store the output of the command in a variable, then use `sed`
to pull out what you want from the output of the same read.
Alternately you could use `-format=json`, store that output, then use
`jq` to get what you want.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/77a01da2-8114-416a-b888-c3df324da368%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You can store the output of the command in a variable, then use `sed`
to pull out what you want from the output of the same read.
Alternately you could use `-format=json`, store that output, then use
`jq` to get what you want.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/77a01da2-8114-416a-b888-c3df324da368%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Wesley Staples
Apr 7, 2016, 10:54:28 AM4/7/16
to Vault, jc...@gnshealthcare.com, dkam...@gnshealthcare.com
You would need to keep an eye on credential expiration too. A bash function setup that runs every time could check if the AWS_ACCESS_KEY_ID already has a value if not request new creds. It would also need to check against something like AWS_ACCESS_KEY_EXPIRY to make sure the creds are still valid. You could even run a logout script to make sure the keys are revoked.
Reply all
Reply to author
Forward
0 new messages