1Password CLI 2 offers a way to use AWS credentials with the AWS CLI. However, you have to create shell aliases for all the commands you want to use with with. A better solution would be to let the AWS CLI/SDK lookup the credentials itself in 1Password. Luckily, the AWS config supports this with credential_process!
Requirements to make this work:
- AWS CLI v2. It might work with v1 but I did not test it.
- 1Password items with these fields:
access key idoraccess_key_idsecret access keyorsecret_access_key
- 1Password CLI 2 which can authenticate to your vault.
- My op-aws-credentials.py script in a conveinent location (/usr/local/bin).
When you have those things in place, you can modify your ~/.aws/config file:
[default]
credential_process = /opt/local/bin/op-aws-credentials.py --vault AWS --item default
[profile1]
credential_process = /opt/local/bin/op-aws-credentials.py --vault AWS --item profile1
[profiloe2]
credential_process = /opt/local/bin/op-aws-credentials.py --vault AWS --item profile2Then delete the lines from your ~/.aws/credentials file. This example assume you have a vault called “AWS” with items in it “default”, “profile1”, and “profile2”.
I’ve tested this with the AWS CLI v2, terraform 1.2.2, and some boto3 scripts (which is 95% of my CLI usage).