aws-keychain-alias-macos.alias

# Use macOS keychain to store AWS access keys
# Alias to return AWS access keys from macOS keychain as input to credential_process
#   ~/.aws/cli/alias

keychain =
  !f() {
    # Pass in aws profile name
    # Assumes you are using (default) login keychain
    access_key_id=$(security find-generic-password -s "aws profile ${1}" -a "AccessKeyId" -w)
    secret_access_key=$(security find-generic-password -s "aws profile ${1}" -a "SecretAccessKey" -w)
    echo \{ \
      \"AccessKeyId\":\""$access_key_id"\", \
      \"SecretAccessKey\":\""$secret_access_key"\", \
      \"Version\":1 \}
  }; f

# using security command line tool, store AWS keys
#   add-generic-password -U -s "aws profile $AWS_PROFILE" -a "AccessKeyId" -w
#   add-generic-password -U -s "aws profile $AWS_PROFILE" -a "SecretAccessKey" -w

# Configure aws profile credential_process to retrieve access keys from keychain using alias
#   aws configure set credential_process "aws keychain $AWS_PROFILE" --profile $AWS_PROFILE

#[default]
#credential_process = aws keychain $AWS_PROFILE

# Access keys for profile can be deleted from ~/.aws/credentials

Hej,
great alias/script! Thank you.

FWIW: You could reduce the entries in keychain to one per identity by putting the Access_Key_ID as account name (-a) and the Secret_Access_Key as passwort (-w).
And then retrieve the credentials from with
access_key_id=$(security find-generic-password -s "aws profile ${1}" | sed -n 's/.acct.="(.*)"/\1/p')
secret_access_key=$(security find-generic-password -s "aws profile ${1}" -w)