Skip to main content
August 15, 2022
Question

How-to configure AWS config credential_process + op?

  • August 15, 2022
  • 7 replies
  • 1569 views

In CLIv1 I was able to use something like:


[profile default]
region=us-west-2
credential_process = sh -c "op --account kramer get item 'AWS Production' | jq '.details.sections[2].fields | map({(.t):.}) | add | {Version:1, AccessKeyId:.aws_access_key_id.v, SecretAccessKey:.aws_secret_access_key.v}'"

I can't seem to figure out the v2 version of that or how to use credential_process to retrieve credentials.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

7 replies

August 15, 2022

Hey @yodakramer ! Thank you for reaching out to us.

To zoom out a little, can you please let us know what the structure of your item is (with the sensitive values redacted, of course) and what the desired structure of the credential_process should be?

Looking forward to hearing from you.

Best,
Horia

August 15, 2022

Thanks. I have used the examples from this blog post, https://kfalck.net/2018/03/18/storing-aws-cli-credentials-in-1password/.

The output from op looks like this:
```
{
"Version": 1,
"AccessKeyId": "MYKEY",
"SecretAccessKey": "MYSECRETKEY"
}

```
And the entry looks like this:

August 15, 2022

Ah, gotcha, thanks for clarifying! A more native way for achieving this in CLI2 would be along the lines of:

credential_process = "{ \"Version\": 1, \"AccessKeyId\": \"$(op read op://yourvault/aws/aws_access_key_id)\", \"SecretAccessKey\": \"$(op read op://yourvault/aws/aws_secret_access_key)\" }"

Let us know if this works for you, otherwise we can look into further options to adapt your v1 script.
Looking forward to hearing from you, and thank you, once again, for giving v2 a try! :D

Best,
Horia

August 16, 2022

I had to make changes to your version to match what credential_process expects.


credential_process = sh -c 'echo "{\n \"Version\": 1,\n \"AccessKeyId\": \"$(op read op://MyVault/aws-staging/CREDENTIALS/aws_access_key_id)\",\n \"SecretAccessKey\": \"$(op read op://MyVault/aws-staging/CREDENTIALS/aws_secret_access_key)\"\n}" '

The AWS CLI expects a multi-line JSON return, so I added \n where needed and needed to be exec'd with -c passed to the shell.

This works quite well now!

August 17, 2022

Glad you got it working!! Let us know if we can help with anything else.

Best,
Horia

September 20, 2022

Here's an updated jq method, to launch op once:


credential_process = sh -c "op --account=... --vault=... item get --format=json --fields=label=AccessKeyId,label=SecretAccessKey ... | jq 'map({key: .label, value: .value}) | from_entries + {Version: 1}'"

1Password Employee
September 22, 2022

Thanks for the feedback!