The issue
1Password CLI is great, having a single source for managing access keys and being able to use fingerprint ID on a Mac is such a cool feature. The AWS plugin works great, but if you want to use AWS through a third party (in this case Terraform), I failed to get it to work.
❕ This blog post is based on finding a MacOS solution, mileage may vary on other operating systems.
The plan
After some searching I came across this guide Storing AWS CLI Credentials in 1Password by Kenneth Falck. Its now outdated and didn't work for me, but it was more than enough to point in the right direction.
So firstly, setup everything:
- AWS CLI
- 1Password CLI
- 1Password AWS plugin. ❕ I ignored Step 2: Source the plugins.sh file here as the alias it adds is no longer required.
- jq tool
The solution
next, edit the ~/.aws/config file:
[default]
credential_process = sh -c "op item get '*1PASSWORD OBJ*' --format json | jq '.fields | map({(.label):.}) | add | {Version:1, AccessKeyId:."access key id".value, SecretAccessKey:."secret access key".value}'"
Amend the *1PASSWORD OBJ* name to the name of the 1Password access key entry.
If you followed the guides, the fields should be access key id and secret access key, if different, change accordingly.
credential_process allows you to load credentials from an external process.
To check it works, try aws iam get-user, if this works, try a terraform command.
Hopefully it works... 😬
Thanks to Kenneth Falck for initially solving this.
Top comments (2)
David is correct
the way it worked for me
There are unescaped inner double-quotes that cause a parsing error.