Struggling with aws keys in the CLI using secret references in developer tools

manach
manach
Community Member
in Mac

Hello! I'm on a Mac, using the latest version of 1Password cli (2.1.0). I'm trying to use secret references to log onto the aws cli and I'm not sure what I'm doing wrong. I'm trying to sign into my "CRC2" profile.

This gives the correct output:
op run --no-masking --env-file=/Users/manach/.config/op/aws-env/CRC2/.env -- printenv access_key

And this also gives the correct output:
op run --no-masking --env-file=/Users/manach/.config/op/aws-env/CRC2/.env -- printenv secret_key

But this returns "unable to locate credentials":
op run --env-file=/Users/manach/.config/op/aws-env/CRC2/.env -- aws ec2 describe-instances --profile CRC2

Can anyone show me what I'm doing wrong? Thanks for your help.

1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3.1

Comments

  • matthewf
    matthewf
    Community Member
    edited May 2022

    Two suggestions:

    First, it looks like your .config/op/aws-env/CRC2/.env file defines the environment variables access_key and secret_key. But the aws CLI requires them to be named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

    So your .env file should probably look like this:

    AWS_ACCESS_KEY_ID=op://{{vault}}/{{item}}/access_key_id
AWS_SECRET_ACCESS_KEY=op://{{vault}}/{{item}}/secret_access_key

    Second: if you're using op to inject credentials via environment variables, then you shouldn't need the --profile CRC2 switch. (That switch tells aws CLI to fetch credentials for the CRC2 profile from your ~/.aws/credentials file)

  • matthewf
    matthewf
    Community Member

    Two suggestions:

    First, it looks like the environment variables in your ~/.config/op/aws-env/CRC2/.env file are named access_key and secret_key - but aws CLI requires them to be named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So your environment file should look something like this:

    AWS_ACCESS_KEY_ID=op://{{vault}}/{{item}}/access_key_id
AWS_SECRET_ACCESS_KEY=op://{{vault}}/{{item}}/secret_access_key

    Second, you probably don't need the --profile CRC2 switch. That switch instructs aws CLI to get the credentials for the CRC2 profile from your ~/.aws/credentials file - which isn't necessary now that op is supplying the credentials via environment variables.

  • manach
    manach
    Community Member

    Thank you! I had wondered if --profile might somehow be to blame, but couldn't think of a mechanism that would make it work without it. And thank you for the tip about the var names--I had originally named them that, and changed as one debugging iteration when I noticed that in the output for "aws configure list --profile [x]" returned the lowercase vars. I haven't gotten to test this yet but thanks for replying on a Saturday, and I hope you have a great weekend!

  • manach
    manach
    Community Member

    It's working! 🎉🎉🎉 Thanks so much for your help.

  • PeterG_1P
    PeterG_1P

    Hi @manach - it's great that @matthewf's advice was helpful here. Thank you @matthewf!

    If you do have any further questions, let us know and we'll be happy to help. We're a bit busier than usual at the moment given the launch of 1Password 8 for Mac, but will nevertheless get back to you - if you don't hear from knowledgeable community members first. 😃

This discussion has been closed.