top of page
  • Akmod

Streamlining AWS Credential Management with Idem and Acct

Hello cloud enthusiasts!

Today, we're going to talk about the synergy of Idem and Acct, two key components of the POP (Plugin Oriented Programming) ecosystem, and how they can streamline your AWS credential management experience.

Idem, an open-source automation tool, and its plugins are crafted in Python 3. One of these plugins, idem-aws, allows for seamless interaction with AWS resources. Getting started with Idem is straightforward - all you need is a Python virtual environment and pip for installation:

$ python3 -m venv idemenv $ source idemenv/bin/activate (idemenv) $ pip3 install idem-aws

This process sets up Idem along with necessary libraries including POP, idem, and AWS SDK (Boto3).

Acct, an authentication plugin for Idem, has been a long-standing player in managing authentication credentials securely and transparently. With Acct, you can store AWS credentials in a YAML file:


Note: The access keys and secret keys in this example are placeholders. Always keep your real keys secure and don't share them. For those managing multiple AWS accounts, Acct supports specification of multiple credential sets under different arbitrary key names.

Acct provides the feature of encrypting this credential file using the Fernet symmetric encryption algorithm, which ensures secure storage while maintaining accessibility. Here's how it works:

(idemenv) $ idem encrypt myawscreds.yml
# The first time you run "encrypt" it will print out a key
(idemenv) $ rm myawscreds.yml

Acct then communicates to Idem the location of the encrypted file and the decryption key through environment variables:

(idemenv) $ export ACCT_FILE="/path/to/myawscreds.yml.fernet"
(idemenv) $ export ACCT_KEY="your-key"

One of the key features of Acct that simplifies credential management is its capability to edit the encrypted file directly without manual decryption, thanks to the command "idem acct_edit". This functionality is equivalent to decrypting the file, editing it, encrypting it again, and removing the plaintext file - all in one single command:

(idemenv) $ idem acct_edit myawscreds.yml.fernet

Now that we've got authentication covered, let's move on to resource creation. Below is an example YAML to create two S3 buckets using different sets of credentials provided by Acct:

Ensure first bucket exists:
    - name:"my-first-bucket"
    # With no acct_profile specified, "default" will be used
88Ensure second bucket exists:
    - name: my-second-bucket
    # Explicitly naming a profile means that profile's credentials will be used with this state
    - acct_profile: secondary

To execute this, we simply run Idem against our SLS file:

(idemenv) $ idem state myaws.sls

And just like that, you have two S3 buckets in different regions, created using different sets of credentials!

In a nutshell, the integration of Idem with Acct not only enhances security but also simplifies the process of AWS credential management. As these tools continue to evolve, we're excited about the future possibilities they hold. Keep an eye on this space for more insights and updates.


bottom of page