AWS Credentials Keychain

Store your AWS credentials securely.

Supports MFA devices.

• On macOS, tool uses build-in keychain to store the credentials.
• On Linux, it uses AES256 encrypted file as keychain to store the credentials.

Tool uses zero dependencies to make you feel a little bit safer.

Requirements

• volta.sh - preferred way of managing Node versions
• aws cli v2 - we recommend to use brew to install aws cli v2 which works on both macOS and Linux platforms
• NodeJS v18

# install volta
curl https://get.volta.sh | bash
# install brew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# install awscli
brew install awscli
# install node 18
volta install node@18

Installation

You can install the package globally any NodeJS package manager. Preferred way is installing it through volta.

volta install @everlution/aws-credentials-keychain

# and/or

yarn global add @everlution/aws-credentials-keychain

Usage

Set credentials

aws-login --set <aws-profile>

Refresh credentials

aws-login <aws-profile> [ttl-in-hours]

Example:

aws-login default 4

Remove credentials

aws-login --remove <aws-profile>

List credentials (Linux only)

aws-login --list

On macOS, please use build-in Keychain application to see the available credentials.

Change keychain password (Linux only)

aws-login --change-password

On macOS, please use build-in Keychain application to change the keychain password.

Recommended AWS IAM Policy

The following policy denies access to almost all AWS resources when no MFA is used. The only exception are actions, which are necessary during the first sign-in.

⚠️ User needs to sign-in again after the MFA device is registered.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonMfaAccess",
      "Effect": "Deny",
      "NotAction": [
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:EnableMFADevice",
        "iam:CreateVirtualMFADevice",
        "iam:ChangePassword"
      ],
      "Resource": ["*"],
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Using AWS login for authentication with private CodeArtifact npm repository

You can also use the aws-login tool to automatically log in to the private NPM package hosted at AWS CloudArtifact. Only thing you need to do is provide config JSON file located at ~/.aws/artifact.json.

Example configuration:

[
  {
    "domain": "{your domain name}",
    "repository": "{your repository name}",
    "region": "{aws region where the CodeArtifact is hosted}",
    "domainOwner": "{aws account number}",
    "profile": "{profile which should be used}",
    "namespace": "{private npm namespace}"
  },
  {
    "domain": "npm",
    "repository": "npm",
    "region": "eu-west-1",
    "domainOwner": "1234567890",
    "profile": "default",
    "namespace": "@my-company"
  }
]

As you can see from the above configuration file, you can have multiple CodeArtifact instances which aws-login will log you in automatically upon the credentials refreshment. Maximum duration of CodeArtifact session is limited to 12 hours.

Publish new version

Run the following code in order to publish the new version in public NPM registry:

npm publish . --access public --@everlutionsk:registry=https://registry.npmjs.org