This Flox environment enables secure AWS CLI authentication by storing AWS credentials locally using standard methods. It gives you two storage options:
- System keyring/keychain (preferred) - Uses OS security infrastructure
- Encrypted local file (fallback) - Encrypts your credentials with a system-derived key
- Locks down AWS credentials in your system keyring or in an encrypted file
- Handles AWS CLI auth automatically without manual credential entry
- Works across platforms (macOS, Linux)
- Hooks into Bash, Zsh, and Fish shells
- Includes a no-nonsense setup wizard that doesn't waste your time
The environment packs these essential tools:
awscli2- AWS CLI for interacting with AWS servicesgum- Terminal UI toolkit powering the setup wizardbat- Bettercatwith syntax highlightingcurl- Solid HTTP client for API testingopenssl- Cryptography toolkit backing the security layerjq- Pretty JSON parser
- AWS account
- AWS Access Key ID and Secret Access Key
- Flox installed on your system
Jump in with:
- Clone this repo
git clone https://github.com/barstoolbluz/awscli && cd awscli- Run:
flox activateThis command:
- Pulls in all dependencies
- Fires up the auth setup wizard
- Drops you into the Flox env with AWS CLI ready to go
First-time activation triggers a wizard that:
- Walks you through AWS credential creation if needed
- Locks your credentials in the system keyring or encrypted file
- Sets up shell wrapper functions for transparent authentication
After setup, you can directly run AWS CLI commands:
# List S3 buckets
aws s3 ls
# Describe EC2 instances
aws ec2 describe-instances
# List IAM users
aws iam list-usersAuth happens automatically via your configured mechanism.
We implement a two-tiered storage strategy:
-
Primary Storage: System keyring/keychain
- Uses OS security mechanisms
- Gets the same protection as your system credentials
-
Fallback Storage: Encrypted file
- Implements AES-256-CBC encryption
- Derives keys from unique system attributes:
- Username
- Hostname
- Machine ID
- Creates deterministic but unique keys for each system
The environment builds shell-specific wrappers that:
- Pull your credentials from secure storage
- Inject them as environment variables for AWS CLI
- Clean up after command execution
The environment fully supports:
- Long-term IAM user credentials
- Short-term session tokens for temporary access
- Multi-factor authentication workflows
If AWS auth breaks:
-
Auth fails in environment:
- Exit the environment
- Run
flox activateagain; if config is FUBAR, this will re-trigger setup
-
Persistent failures:
- Exit the environment
- Nuke the local repo folder
- Either:
- Clone the repo again, or
- Create (
mkdir) a new repo folder and runflox pull --copy barstoolbluz/awscli
- Enter clean environment with
flox activate
-
Keyring issues:
- The wizard will fall back to encrypted file storage
This works on:
- macOS (ARM64, x86_64)
- Linux (ARM64, x86_64)
- Credentials never exist as plaintext files
- System keyring implements OS-native security
- Encrypted files use system-derived keys that can't be easily guessed
- Network traffic only occurs during AWS API validation
- All sensitive files receive restricted permissions (600)
Linux Keyring Note: On Linux, with both GNOME Keyring and KWallet it is possible to dump credentials if an attacker gains access to your active, unlocked session. While sufficient for most use cases, they don't match the security of dedicated password managers.
For hardened environments:
- Consider dedicated password managers or AWS SSO for credential storage
- Lock your system when you step away