By using AWS re:Post, you agree to the Terms of Use
/Password/SSH based authentiaction for AWS CLI // authentication for AWS CLI without needing access keys/

Password/SSH based authentiaction for AWS CLI // authentication for AWS CLI without needing access keys

0

Hello, we want to authenticate AWS CLI requests without needing to store access keys in PC's memory, for now we think of using static password ( and this password should be less or equal to 38 characters ) OR using ssh/pgp keys that we would store in yubikey , so we would not need to use "static" AWS access keys OR we can use the "session" keys, but we should be able to get them without the "static" access keys, is it possible to implement it in any-way? like using AWS SSO or whatever else?

So in short we want to implement access to the AWS CLI without storing access keys on PC, we want "to shorten" the secret access key to 38 characters OR we need to get rid of access keys and use something else like ssh/pgp keys OR "known" password OR to authenticate AWS cli requests.

Any help will be appreciated :)

1 Answers
2
Accepted Answer

You will always need access keys to sign the calls to the AWS APIs. Maybe this is what you are looking for: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

EXPERT
answered 6 months ago
  • Okay, got it, thanks , but is it possible to use only "session" access keys? without providing those "static" access keys ( using only AWS CLI ) ?

  • And also, is there no option to shorten AWS generated secret access key?

  • Yes, by using a trusted external identity provider, you can only use temporary access keys by assuming a role, via the Idp. Version 2 of the CLI integrates with AWS SSO to facilitate this. You will still have to authenticate the the provider which may involve long term credentials. This is where you can use shortened credentials. The AWS access keys can't be shorted, that I know of. Here is the docs on using AWS CLI and AWS SSO: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions