wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-02 10:03:01 +02:00
Code Issues Projects Releases Wiki Activity
algo/docs/aws-credentials.md
Dan Guido 8ee15e6966
feat: Add AWS credentials file support (#14778) 
* feat: Add AWS credentials file support

- Automatically reads AWS credentials from ~/.aws/credentials
- Supports AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE environment variables
- Adds support for temporary credentials with session tokens
- Maintains backward compatibility with existing credential methods
- Follows standard AWS credential precedence order

Based on PR #14460 by @lefth with the following improvements:
- Fixed variable naming to match existing code (access_key vs aws_access_key)
- Added session token support for temporary credentials
- Integrated credential discovery directly into prompts.yml
- Added comprehensive tests
- Added documentation

Closes #14382

* fix ansible lint

---------

Co-authored-by: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
2025-08-03 15:07:57 -06:00

1.9 KiB
Raw Permalink Blame History

AWS Credential Configuration

Algo supports multiple methods for providing AWS credentials, following standard AWS practices:

Methods (in order of precedence)

  1. Command-line variables (highest priority)

    ./algo -e "aws_access_key=YOUR_KEY aws_secret_key=YOUR_SECRET"

  2. Environment variables

    export AWS_ACCESS_KEY_ID=YOUR_KEY
export AWS_SECRET_ACCESS_KEY=YOUR_SECRET
export AWS_SESSION_TOKEN=YOUR_TOKEN  # Optional, for temporary credentials
./algo

  3. AWS credentials file (lowest priority)

    • Default location: ~/.aws/credentials
    • Custom location: Set AWS_SHARED_CREDENTIALS_FILE environment variable
    • Profile selection: Set AWS_PROFILE environment variable (defaults to "default")

Using AWS Credentials File

After running aws configure or manually creating ~/.aws/credentials:

[default]
aws_access_key_id = YOUR_KEY_ID
aws_secret_access_key = YOUR_SECRET_KEY

[work]
aws_access_key_id = WORK_KEY_ID
aws_secret_access_key = WORK_SECRET_KEY
aws_session_token = TEMPORARY_TOKEN  # Optional

To use a specific profile:

AWS_PROFILE=work ./algo

Security Considerations

  • Credentials files should have restricted permissions (600)
  • Consider using AWS IAM roles or temporary credentials when possible
  • Tools like aws-vault can provide additional security by storing credentials encrypted

Troubleshooting

If Algo isn't finding your credentials:

  1. Check file permissions: ls -la ~/.aws/credentials
  2. Verify the profile name matches: AWS_PROFILE=your-profile
  3. Test with AWS CLI: aws sts get-caller-identity

If credentials are found but authentication fails:

  • Ensure your IAM user has the required permissions (see EC2 deployment guide)
  • Check if you need session tokens for temporary credentials