[pprotas]

`sops` combined with `age` is great! Benefit is that it doesn't tie you into 1Password's ecosystem

[timwis]

That looks interesting, but unless I'm missing it, it still leaves you with things like ~/.aws/credentials in plaintext on disk, doesn't it?

[pprotas]

Yes, although there are ways around it.

The other commenter mentioned a possible workaround, but you can also authenticate with AWS through env variables. You could store these in sops and have an alias or task that routes your aws commands through sops:

  sops exec-env secrets.enc.yaml 'aws something something' # sops injects decrypted credentials into env vars at runtime

[Hackbraten]

AWS allows you to set `credential_process` and have it point to a script that fetches your credential from wherever you like and print it to stdout.