Script to Insert AWS API Credential

Question

I am trying to write a script to insert the API credentials in the awscreds.template. However, the Secret contains special characters. As an example:

AWSAccessKeyId=AKIAJ5YhzvVUZnPTBVRA
AWSSecretKey=fRUZnUVUZnUvYhzvJVpwyn/xN3Oo0l3icqRy0//+

My script requests:

echo "Entre the Access Key, followed by an ENTER:"
read access
echo "Entre the Secret Key, followed by an ENTER:"
read secret

And then inserts it into the file:

sed -i '/AWSAccessKeyId=/s/$/'$access'/' awscreds.template

sed -i '/AWSSecretKey=/s/$/'$secret'/' awscreds.template

However, when I run the script I get the following:

sed: -e expression #1, char 44: unknown option to `s'

After doing a bit of research, I made sure to use the ' ' to restrict the input, but I still get the same alarm. But why am I still getting this error?

Which version of `sed` are you using? i.e. output of `sed --version`. Working fine on `GNU sed version 4.2.1` — Inian, Sep 26 '16 at 09:54
Good question. Pre-installed on the AMI: **GNU sed version 4.2.1** — SSF, Sep 26 '16 at 09:58

SLePort · Answer 1 · 2016-09-26T19:36:41.103

2

The AWSSecretKey value contain / character which is used as a delimiter in your sed command.

Try to replace the sed subtitution delimiter with another character.

eg :

sed -i '/AWSAccessKeyId=/s~$~'"$access"'~' awscreds.template
sed -i '/AWSSecretKey=/s~$~'"$secret"'~' awscreds.template

edited Sep 26 '16 at 19:36

answered Sep 26 '16 at 10:22

SLePort

15,211
3
34
44

Wow! Nice observation! Was thinking on similar-lines, just spot-on! – Inian Sep 26 '16 at 10:25
But if I replace it with another character, wouldn't that change the secret and as a result will not send metrics to AWS cloudwatch. – SSF Sep 26 '16 at 11:30
The secret will not be changed, you just replace sed `s` command delimiter here. See more about this issue [here](http://stackoverflow.com/questions/9366816/sed-unknown-option-to-s). – SLePort Sep 26 '16 at 12:11
1

Replacing the delimiter just changes the problem from `/` to the replacement character, it doesn't solve it. Also there's other problematic characters likw `&` and `\1`. To solve it with sed you need http://stackoverflow.com/questions/29613304/is-it-possible-to-escape-regex-metacharacters-reliably-with-sed so you're better off just using awk since it can work with literal strings. – Ed Morton Sep 26 '16 at 18:53
@EdMorton Thanks for the link but the AWS secret key is [40 alpha-numeric-slash-plus characters](https://alestic.com/2009/11/ec2-credentials/), so using `~` as delimiter is absolutely safe here. The missing part of the script might be a control to check for valid input. – SLePort Sep 26 '16 at 19:36
1

@EdMorton I added the double quotes. – SLePort Sep 26 '16 at 19:38
Yeah, I guess the missing part might be sanitizing the input but I find it unlikely that the person asking this question has thought of or knows how to do that. I would not assume that what the user enters is a valid AWS secret key. – Ed Morton Sep 28 '16 at 04:38

score 1 · Answer 2 · answered Sep 26 '16 at 19:08

You need to use awk to do this robustly since sed cannot operate on arbitrary strings. This will work for any string in the input file or the replacement text:

$ secret='a&b/\t=\1' awk '/^AWSSecretKey=/ { sub(/=.*/,"="); $0=$0 ENVIRON["secret"] } 1' file
AWSSecretKey=a&b/\t=\1

score 0 · Accepted Answer · answered Oct 28 '16 at 10:15

The issue was the deliminator of sed. The credential contained / which was also used in the sed statement. So I ended up just echoing the credentials into the file. I know it is not the most elegant way of doing this. But it worked well.

 echo "AWSAccessKeyId=$access" > awscreds.template
 echo "AWSSecretKey=$secret" >> awscreds.template

Script to Insert AWS API Credential

3 Answers3