[timmattison]

We actually just did a livestream today at AWS about how to store a credential in an HSM to avoid having IAM credentials in clear text. You can see it here - https://www.twitch.tv/aws/video/1156973272

We haven’t released the code yet but are in the process. If you think this could work for you or you’d just like to see how we did it DM me on Twitter @timmattison and I’ll give you the code ASAP.

[ak217]

3 years ago, I implemented a library to do this for Python/boto3: https://github.com/pyauth/exile - because of assumptions that the sigv4 signers make in botocore, it actually has to do a bit of monkeypatching to get them to work. I tried to get the change merged upstream to make the botocore signers more flexible (https://github.com/boto/botocore/issues/1689) but my PR is still open.

[timmattison]

Wow, I tried this (or another similar project) a few years back and loved it. Nice work! Sorry it is still pending though. I don’t work on the SDKs unfortunately.

On the auth side, the major change since then is that you can use the IoT credentials provider to provide certificate based auth to all services (https://docs.aws.amazon.com/iot/latest/developerguide/author...). You don’t need to be using any of the other IoT services. It was created to make it easier for devices to use AWS services but can be used by anyone/anything.

What we did was combine the AWS CLI feature to source credentials from an external process (https://docs.aws.amazon.com/cli/latest/userguide/cli-configu...) with a script to do the certificate based auth. This allows you to obtain STS credentials using a certificate and pass them to the CLI (access key, secret key, session token). Your secure hardware just needs to do the normal work of assisting in the mutual TLS auth which in our case was done with curl and Zymbit’s OpenSSL engine. We are releasing that code along with a SoftHSM2 setup so people can see how it works in a test environment.

[psanford]

Neat! An HSM sounds like way overkill for a developer machine, but I could see that being useful for other use cases.

The TPM is a good option because every non-Mac ships with one already (and there are similar facilities available on macs).

[timmattison]

In this case it was a Zymbit Zymkey 4i which contains a secure element with a bunch of additional functionality (tamper detection, etc) and works with a Raspberry Pi. Now I’m wondering how easily it could be adapted for use on a laptop with a TPM…

[psanford]

If you are looking for some references besides my linked code, this comment[0] on the tpm2-tools repo will probably be useful. FWIW, I've moved my workflow over to having long lived aws keys protected by my TPM and then I generate session credentials from that for normal aws cli usage.

[0]: https://github.com/tpm2-software/tpm2-tools/issues/1597#issu...

[bogomipz]

I also have this exact use case however I'm not on Twitter. Is there another way to contact you or see the code? Thanks.

[timmattison]

You can email me at tim at mattison dot org if that works for you