Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

Former Member's avatar
Former Member
3 years ago

Struggling with aws keys in the CLI using secret references in developer tools

Hello! I'm on a Mac, using the latest version of 1Password cli (2.1.0). I'm trying to use secret references to log onto the aws cli and I'm not sure what I'm doing wrong. I'm trying to sign into my "CRC2" profile.

This gives the correct output:
op run --no-masking --env-file=/Users/manach/.config/op/aws-env/CRC2/.env -- printenv access_key

And this also gives the correct output:
op run --no-masking --env-file=/Users/manach/.config/op/aws-env/CRC2/.env -- printenv secret_key

But this returns "unable to locate credentials":
op run --env-file=/Users/manach/.config/op/aws-env/CRC2/.env -- aws ec2 describe-instances --profile CRC2

Can anyone show me what I'm doing wrong? Thanks for your help.

1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3.1

ios
  • matthewf's avatar
    matthewf
    New Contributor
    3 years ago

    Two suggestions:

    First, it looks like your .config/op/aws-env/CRC2/.env file defines the environment variables access_key and secret_key. But the aws CLI requires them to be named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

    So your .env file should probably look like this:


    AWS_ACCESS_KEY_ID=op://{{vault}}/{{item}}/access_key_id
    AWS_SECRET_ACCESS_KEY=op://{{vault}}/{{item}}/secret_access_key

    Second: if you're using op to inject credentials via environment variables, then you shouldn't need the --profile CRC2 switch. (That switch tells aws CLI to fetch credentials for the CRC2 profile from your ~/.aws/credentials file)

  • matthewf's avatar
    matthewf
    New Contributor
    3 years ago

    Two suggestions:

    First, it looks like the environment variables in your ~/.config/op/aws-env/CRC2/.env file are named access_key and secret_key - but aws CLI requires them to be named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So your environment file should look something like this:


    AWS_ACCESS_KEY_ID=op://{{vault}}/{{item}}/access_key_id
    AWS_SECRET_ACCESS_KEY=op://{{vault}}/{{item}}/secret_access_key

    Second, you probably don't need the --profile CRC2 switch. That switch instructs aws CLI to get the credentials for the CRC2 profile from your ~/.aws/credentials file - which isn't necessary now that op is supplying the credentials via environment variables.

  • Former Member's avatar
    Former Member
    3 years ago

    Thank you! I had wondered if --profile might somehow be to blame, but couldn't think of a mechanism that would make it work without it. And thank you for the tip about the var names--I had originally named them that, and changed as one debugging iteration when I noticed that in the output for "aws configure list --profile " returned the lowercase vars. I haven't gotten to test this yet but thanks for replying on a Saturday, and I hope you have a great weekend!

  • Former Member's avatar
    Former Member
    3 years ago

    It's working! 🎉🎉🎉 Thanks so much for your help.

  • PeterG_1P's avatar
    PeterG_1P
    Icon for 1Password Team rank1Password Team
    3 years ago

    Hi @manach - it's great that matthewf's advice was helpful here. Thank you matthewf!

    If you do have any further questions, let us know and we'll be happy to help. We're a bit busier than usual at the moment given the launch of 1Password 8 for Mac, but will nevertheless get back to you - if you don't hear from knowledgeable community members first. 😃