Terraform securely.

provider “aws” {
 region = “eu-west-1”
}
resource “aws_instance” “deleteme” {
 ami = “ami-f95ef58a”
 instance_type = “t2.micro”
}

Create a password store, encrypted with my yubikey key.

$ pass init C7F993DA
Password store initialized for C7F993DA # my yubikey key
$ pass edit aws_access_key

Interesting, i don’t need to provide the credentials explicitly if they’re available as environment variables called AWS_ACCESS_KEY and AWS_SECRET_KEY.

$ cat passt
#!/bin/bash
export AWS_ACCESS_KEY=$(pass show aws_access_key)
export AWS_SECRET_KEY=$(pass show aws_secret_key)
terraform $*

tl;dr You can keep you AWS keys encrypted in a GPG file, that’s encrypted with your GPG key (which you keep on a Yubikey ofcourse!) and wrap terraform so that the credentials it needs are available to terraform.

air3:mondo-terraform simonvc$ ./passt apply
aws_instance.deleteme: Creating…
 ami: “” => “ami-f95ef58a”
 availability_zone: “” => “<computed>”
 ebs_block_device.#: “” => “<computed>”
 ephemeral_block_device.#: “” => “<computed>”
 instance_state: “” => “<computed>”
 instance_type: “” => “t2.micro”
 key_name: “” => “<computed>”
 placement_group: “” => “<computed>”
 private_dns: “” => “<computed>”
 private_ip: “” => “<computed>”
 public_dns: “” => “<computed>”
 public_ip: “” => “<computed>”
 root_block_device.#: “” => “<computed>”
 security_groups.#: “” => “<computed>”
 source_dest_check: “” => “1”
 subnet_id: “” => “<computed>”
 tenancy: “” => “<computed>”
 vpc_security_group_ids.#: “” => “<computed>”
aws_instance.deleteme: Creation complete
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.