[timwis]

What do folks here do to avoid having plaintext credentials on disk? I try to use 1Password's plugins where I can. I find the SSH key (and got signing) experience flawless, but the cli experience (eg aws cli) pretty clunky - they often break, and they don't even have a gcp plugin last I checked.

[Hackbraten]

I use `pass` on all my personal dev workstations and phone (because I happen to own YubiKeys/OpenPGP cards with my PGP key on them anyway; would probably use `age`/SOPS instead if I already hadn't committed to the PGP ecosystem).

If /usr/bin/bar wants a credential via a FOO_API_KEY environment variable, I create a /usr/local/bin/bar wrapper script like so:

    #!/bin/bash
    set -eu +x
    
    if [[ -z "${FOO_API_KEY:-}" ]]; then
      echo >&2 Decrypting FOO_API_KEY
      FOO_API_KEY="$(pass show bar/FOO_API_KEY)"
    fi

    export FOO_API_KEY
    exec /usr/bin/bar "$@"

[timwis]

Ooh, that's clever. Thanks for sharing.

[Myzel394]

I'm not a huge fan of 1Password, there have been way too many issues in the past with it. If you're on a Mac, I can highly recommend you to check out Secretive https://github.com/maxgoedjen/secretive

[timwis]

Love that feeling when you read through a repo and think, "Wow, this looks cool," and go to star it, and see that you already have, and clearly forgot about it

Anyway, thanks for sharing. It doesn't look like it handles cli auth though (aws, npm, etc. all leave tokens sitting in your home directory). What do you use for those?

[KajMagnus]

Or when you find some old source code at your workplace, and you're like: "this looks pretty nice, I wonder who wrote this?"

[pprotas]

`sops` combined with `age` is great! Benefit is that it doesn't tie you into 1Password's ecosystem

[timwis]

That looks interesting, but unless I'm missing it, it still leaves you with things like ~/.aws/credentials in plaintext on disk, doesn't it?

[pprotas]

Yes, although there are ways around it.

The other commenter mentioned a possible workaround, but you can also authenticate with AWS through env variables. You could store these in sops and have an alias or task that routes your aws commands through sops:

  sops exec-env secrets.enc.yaml 'aws something something' # sops injects decrypted credentials into env vars at runtime

[Hackbraten]

AWS allows you to set `credential_process` and have it point to a script that fetches your credential from wherever you like and print it to stdout.

[KajMagnus]

Check out Qubes OS and vault VMs and (I haven't started using yet) split SSH / GPG.