Skip to content
Common Fate
Docs Granted

Linux (preferred): Encrypting AWS SSO Tokens using a keyring

Granted uses an open-source library to securely store AWS SSO tokens in a backend service. Linux desktop users can generally use a keyring to securely store AWS SSO tokens, and get it unlocked with the default login keychain.

Your desktop probably already has a keyring installed by default. If this is not the case, you either need to install one (look online for “<desktop-name> keyring”) or use pass.

Prerequisites

  • Installed Granted CLI tool.
  • Access to AWS SSO tokens.
  • A compatible Linux desktop:
    • Gnome (Gnome Keyring)
    • KDE (Kwallet)
    • Cinnamon/Linux Mint (Gnome Keyring)
  • Or a FreeDesktop Secret Service compatible program:
    • Gnome Keyring (Gnome/GTK-desktops)
    • Kwallet (KDE)
    • KeePassXC (desktop-agnostic)

Configuration

Open the Granted configuration file located at ~/.granted/config. Add the following configuration to specify the backend for keyring:

[Keyring]
  Backend = "secret-service"
  LibSecretCollectionName = "login"

Next time you run Granted, it will use the secret-service backend to store AWS SSO tokens and it will not ask you to enter your password. It will unlock it with the login keychain instead.

To learn more about how to configure the keyring, check out these settings that are exposed in Granted and the upstream library documentation for further details.