encrypt ~/.awssecrets and better security for credentials

[tzz]

Currently ~/.awssecrets is unencrypted, which is a pain. I propose:

• support ~/.awssecrets.gpg which is decrypted through GPG
• support ~/.authinfo and ~/.netrc (format TBD, also should support .gpg extension)
• the Git credential system could be helpful here, if aws could talk that protocol, see http://www.kernel.org/pub/software/scm/git/docs/technical/api-credentials.html (the idea being that this supports secure credential storage outside the aws codebase, simplifying things)

[timkay]

Is your thought that the credentials should be secure, so that interactive use would obtain the key from the user or the user's session? Many people use "aws" in scripts, in which case, securing the credentials doesn't make sense, unless I am misunderstanding your goal.

Also, please confirm that you are familiar with IAM, which lets you create credentials that restrict the activity.

[tzz]

I don't use IAM but know about it. The aws docs lean towards storing credentials locally unencrypted (either in the command history or in a file). This works fine for most people, of course, but some don't want to do it, and don't want to invest into a full IAM setup. So:

• it should be optional to use any of my proposal
• with a GPG agent session in the environment, GPG won't need to ask questions. This works for people who ssh into remote machines and carry the GPG agent through. I think it's reasonable to run GPG for a .gpg file, assuming the user knows what he's doing.
• with the Git credentials, you open a socket and talk to something on the other side. That lets you support the keychain on Mac OS X, for instance, or the Windows credential storage. It's a pretty trivial text protocol.
• the plain .authinfo and .netrc formats are simply a convenience for those, like me, that keep all their credentials in a single file instead of a special file for each application.

[timkay]

Thanks for the additional details on your use cases. I do see how the encryption is interesting. Unfortunately, I'm swamped with my startup, and I don't see myself adding this feature any time soon. I would be interested in merging it if somebody else implemented.

I'll think about it some more.

[tzz]

I can definitely add .authinfo and .netrc parsing and document it. I just need you to decide how the option should be specified: should it automagically use them if .awssecrets is not available? Or explicitly somehow?

I can also add the GPG calls, again if you tell me how it should be configured. I assume it's OK to just exec("gpg") and rely on the PATH to be right? Or do you want it to be something specific, like curl is specified?

I can also write the Git credential plugin. It definitely needs to be configured with (protocol, host, path). Those should be mapped into aws, perhaps simply protocol = aws, host = aws, and path is empty. Or they could be configurable from the command line.

[timkay]

It should simply automatically detect the other sources of keys. You'll see code already there that makes a decision about several different sources for the keys.

I suppose it's ok to rely on the path. I do believe it relies on the path to find curl, though it might have to do some fiddling to support Windows. I don't recall the details. (But that's the great thing about interpreted languages... it's all right there.)

Keep in mind I don't like dependencies. People should be able to download and run it without installing anything else. (curl is alredy there in most cases.) I did just merge JSON support that loads modules only if needed, but most people won't use that feature, so it's invisible to them.

[tzz]

I won't add module dependencies for any of this. Let me know what parts of my proposal you'd like me to implement and I'll do it as a pull request (multiples, if possible). I don't want to assume you're OK with all of it, so better to be explicit. :)

Thanks.

[timkay]

Ted,

It all sounds good, as long as it isn't a lot of code... Load time for "aws" is already a problem.

...Tim

On Fri, Feb 1, 2013 at 8:58 AM, Ted Zlatanov notifications@github.comwrote:

I won't add module dependencies for any of this. Let me know what parts of my proposal you'd like me to implement and I'll do it as a pull request (multiples, if possible). I don't want to assume you're OK with all of it, so better to be explicit. :)

Thanks.

— Reply to this email directly or view it on GitHubhttps://github.com/timkay/aws/issues/39#issuecomment-13002969.

Timothy Kay m: +1-650-248-0123 Skype: timkay Boopsie - Why search when you can FIND!

[tzz]

OK, just the Git credential support is left. I am writing the netrc credential helper itself; the way it works is that you call git-credential-netrc --file AUTHFILE get and then you print to the helper host=X\nusername=Y. In response the helper will print whatever it finds that matches those criteria. I'll update here when I propose it to the Git folks. Thanks.

[tzz]

I've now implemented all the items I listed in this issue, so if you accept pull request #41, this issue can be closed as well.

[tzz]

This is done, I think.