Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What about ps? #19

Closed
avioli opened this issue Mar 22, 2016 · 1 comment
Closed

What about ps? #19

avioli opened this issue Mar 22, 2016 · 1 comment

Comments

@avioli
Copy link

avioli commented Mar 22, 2016

When you run aws-keychain exec ... the command will be in ps, along with the token.

Why not simply put them in ~/.aws/credentials, where they should be.
@pda
Copy link
Owner

pda commented Apr 5, 2016

When you run aws-keychain exec ... the command will be in ps, along with the token.

Got an example of that happening? I think you'll find the environment passed to the command is not exposed to unprivileged users via ps.

Why not simply put them in ~/.aws/credentials, where they should be.

Because then the secrets are stored in plaintext while at rest on disk. Keeping them encrypted in Keychain adds layer of security, if not a perfect one. If that's not enough, see https://github.com/99designs/aws-vault for a more involved take on this, including generating time-limited session credentials.

@pda pda closed this as completed Apr 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pda @avioli