Amazon web services AWS CLI加密密钥
AWS CLI中是否有允许我以加密格式指定秘密访问密钥的功能 例如,Travis CI脚本可以包含S3密钥的加密版本:Amazon web services AWS CLI加密密钥,amazon-web-services,encryption,command-line-interface,Amazon Web Services,Encryption,Command Line Interface,AWS CLI中是否有允许我以加密格式指定秘密访问密钥的功能 例如,Travis CI脚本可以包含S3密钥的加密版本: 我不喜欢将AWS密钥保存在易于阅读的凭证文件中。不,没有。访问密钥和/或密钥的任何加密必须由使用它们的软件完成 但是,建议使用访问密钥和机密的替代方法是使用IAM角色 如果Travis CI由第三方托管,则应将IAM第三方角色与该第三方一起使用,而不是使用访问密钥。这样,第三方就可以为您的AWS帐户检索有时间限制的凭据 如果您在自己的EC2实例上托管Travis CI,则可以
我不喜欢将AWS密钥保存在易于阅读的凭证文件中。不,没有。访问密钥和/或密钥的任何加密必须由使用它们的软件完成 但是,建议使用访问密钥和机密的替代方法是使用IAM角色 如果Travis CI由第三方托管,则应将IAM第三方角色与该第三方一起使用,而不是使用访问密钥。这样,第三方就可以为您的AWS帐户检索有时间限制的凭据 如果您在自己的EC2实例上托管Travis CI,则可以在EC2实例启动时将其分配给EC2实例配置文件(IAM角色)。这样,所有权限都将授予实例,而无需在实例上的任何位置存储凭据
AWS CLI支持这一点。只要不在任何地方(命令行、文件或配置)分配任何凭据,它就会尝试从实例配置文件中读取凭据。不,没有。访问密钥和/或密钥的任何加密必须由使用它们的软件完成 但是,建议使用访问密钥和机密的替代方法是使用IAM角色 如果Travis CI由第三方托管,则应将IAM第三方角色与该第三方一起使用,而不是使用访问密钥。这样,第三方就可以为您的AWS帐户检索有时间限制的凭据 如果您在自己的EC2实例上托管Travis CI,则可以在EC2实例启动时将其分配给EC2实例配置文件(IAM角色)。这样,所有权限都将授予实例,而无需在实例上的任何位置存储凭据
AWS CLI支持这一点。只要不在任何地方分配任何凭据(命令行、文件或配置),它就会尝试从实例配置文件中读取凭据。我们可以使用aws cli和aws密钥管理服务(KMS)加密密钥 请参见下面的Windows加密命令:
aws kms创建密钥——描述“密钥描述”$ aws kms create-key --description "Description For the key"
{
"KeyMetadata": {
"AWSAccountId": "361925972328",
**"KeyId": "XXXX-XXXX-XXXX-XXXX",**
"Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
"CreationDate": 1575535349.191,
"Enabled": true,
"Description": "Description For the key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.
Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.
aws kms encrypt --key-id XXXX-XXXX-XXXX-XXXX --plaintext new.txt --output text --query CiphertextBlob > secrets.base64.json
certutil -decode .\secrets.base64.json secrets.encrypted.json
$ aws kms create-key --description "Description For the key"
{
"KeyMetadata": {
"AWSAccountId": "361925972328",
**"KeyId": "XXXX-XXXX-XXXX-XXXX",**
"Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
"CreationDate": 1575535349.191,
"Enabled": true,
"Description": "Description For the key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.
Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.
我们可以使用aws cli和aws密钥管理服务(KMS)加密密钥 请参见下面的Windows加密命令:
aws kms创建密钥——描述“密钥描述”$ aws kms create-key --description "Description For the key"
{
"KeyMetadata": {
"AWSAccountId": "361925972328",
**"KeyId": "XXXX-XXXX-XXXX-XXXX",**
"Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
"CreationDate": 1575535349.191,
"Enabled": true,
"Description": "Description For the key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.
Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.
aws kms encrypt --key-id XXXX-XXXX-XXXX-XXXX --plaintext new.txt --output text --query CiphertextBlob > secrets.base64.json
certutil -decode .\secrets.base64.json secrets.encrypted.json
$ aws kms create-key --description "Description For the key"
{
"KeyMetadata": {
"AWSAccountId": "361925972328",
**"KeyId": "XXXX-XXXX-XXXX-XXXX",**
"Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
"CreationDate": 1575535349.191,
"Enabled": true,
"Description": "Description For the key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.
Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.
使用aws CLI KMS进行解密的过程 命令:
aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json
aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json
aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json
$ aws kms create-key --description "Description For the key"
{
"KeyMetadata": {
"AWSAccountId": "361925972328",
**"KeyId": "XXXX-XXXX-XXXX-XXXX",**
"Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
"CreationDate": 1575535349.191,
"Enabled": true,
"Description": "Description For the key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.
Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.
使用aws CLI KMS进行解密的过程 命令:
aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json
aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json
aws kms decrypt --ciphertext-blob ./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
aws kms decrypt --ciphertext-blob fileb://./secrets.encrypted.json --output text --query Plaintext > secrets.decrypted.base64
certutil -decode .\secrets.decrypted.base64 .\secrets.decrypted.json
$ aws kms create-key --description "Description For the key"
{
"KeyMetadata": {
"AWSAccountId": "361925972328",
**"KeyId": "XXXX-XXXX-XXXX-XXXX",**
"Arn": "arn:aws:kms:us-east-1:361925972328:key/15971628-e4b4-42b8-a50f-038eae00b143",
"CreationDate": 1575535349.191,
"Enabled": true,
"Description": "Description For the key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Input Length = 430
Output Length = 159
CertUtil: -decode command completed successfully.
Input Length = 30
Output Length = 7
CertUtil: -decode command completed successfully.