s3cmd is a simple tool for use with Amazon’s S3 and
CloudFront networks, which I tend to use quite a lot. Like many programs, it
deaults to storing your very sensitive AWS crdentials in plain text in a file
called ~/.s3cfg, which is something that we can correct using GPG.
s3cmd makes this a little more challenging than average because its convention
is to generate .s3cfg by dumping its entire set of configuration. Luckily for
us though, as of s3cmd 1.5, configuration values are allowed to be the names of
environment variables, so we can pull in our sensitive values while leaving
most of the file unencrypted for ease-of-use:
[default]
access_key = $AWS_ACCESS_KEY_ID
...
secret_key = $AWS_SECRET_KEY
...
(Note that version 1.5 is still currently under development, and may have to be
installed as a pre-release through something like brew install --devel
s3cmd).
I then created a simple shell file containing my secrets which I stored to
~/.aws-credentials:
AWS_ACCESS_KEY_ID=my-access-key
AWS_SECRET_KEY=my-secret-key
And encrypted with:
$ gpg -r <your email> -e ~/.aws-credentials
$ ls ~/.aws-credentials.gpg
$ rm ~/.aws-credentials
Then elected for a simple wrapper script for s3cmd, which reads the encrypted
credentials file and exports environment appropriately (saved as
~/bin/s3cmd-gpg):
#!/bin/sh
# s3cmd-gpg
eval `gpg -q -d $DOTFILES/aws/credentials.gpg`
export AWS_ACCESS_KEY_ID
export AWS_SECRET_KEY
s3cmd "$@"
And finally, added to simple alias to my *rc file:
$ alias s3cmd="s3cmd-gpg"
From there, s3cmd can be invoked normally:
$ s3cmd ls
Did I make a mistake? Please consider sending a pull request.