By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Password/SSH based authentiaction for AWS CLI // authentication for AWS CLI without needing access keys

0

Hello, we want to authenticate AWS CLI requests without needing to store access keys in PC's memory, for now we think of using static password ( and this password should be less or equal to 38 characters ) OR using ssh/pgp keys that we would store in yubikey , so we would not need to use "static" AWS access keys OR we can use the "session" keys, but we should be able to get them without the "static" access keys, is it possible to implement it in any-way? like using AWS SSO or whatever else?

So in short we want to implement access to the AWS CLI without storing access keys on PC, we want "to shorten" the secret access key to 38 characters OR we need to get rid of access keys and use something else like ssh/pgp keys OR "known" password OR to authenticate AWS cli requests.

Any help will be appreciated :)

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAWS Command Line Interface
Language
English
Joann Babak
asked 2 years ago899 views
1 Answer
2
Accepted Answer

You will always need access keys to sign the calls to the AWS APIs. Maybe this is what you are looking for: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • Joann Babak
    2 years ago

    Okay, got it, thanks , but is it possible to use only "session" access keys? without providing those "static" access keys ( using only AWS CLI ) ?

  • Joann Babak
    2 years ago

    And also, is there no option to shorten AWS generated secret access key?

  • kentrad EXPERT
    2 years ago

    Yes, by using a trusted external identity provider, you can only use temporary access keys by assuming a role, via the Idp. Version 2 of the CLI integrates with AWS SSO to facilitate this. You will still have to authenticate the the provider which may involve long term credentials. This is where you can use shortened credentials. The AWS access keys can't be shorted, that I know of. Here is the docs on using AWS CLI and AWS SSO: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content