How I get rid of access keys for AWS.
Matt Shirilla
Helping organizations create secure cloud environments that accelerate their businesses.
Scott Piper of Wiz wrote a nice series about getting rid of access keys in the cloud - “These keys are problematic because they never expire, so they end up in places that…could still be found and used by an attacker years later.”? I thought I would share how I avoid storing non-expiring access keys in my Terraform projects.
For my personal Terraform Cloud based projects, I use AWS Security Token Service (AWS STS) to create temporary, expiring security credentials.? I typically need the credentials for a couple of hours, so I set the duration-seconds flag to 7200.? If my session goes longer than that, I run aws sts assume-role again and update the Terraform variable set again.
aws sts assume-role?\
??--role-arn arn:aws:iam::123456789012:role/tfc-role \
--role-session-name matts-tfc-session \
--duration-seconds 7200
I then add the credentials to the Terraform Cloud variable set as shown below.? Notice that the credentials include AWS_SESSION_TOKEN in addition to the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY .
This is a really easy way to give Terraform Cloud access to my AWS account without creating a non-expiring access key, and protecting myself from the risk stemming from 3rd party services.