Secure Multiple Account Management#

You can run Idem against multiple cloud accounts and providers. The Idem acct tool lets you specify cloud account and provider information in a file. The acct tool is a dependency of Idem. It is used to encrypt the file that stores the account information securely on the file system.

Support for file-based authentication was added as of Idem 6. Additional authorization mechanisms are expected in future Idem releases.

Static Account Management#

In this example, you create a file in which to store credentials. The file is a simple YAML file that can store credentials for multiple providers and accounts.

The following example creds.yml file includes sample aws system values. The only profile shown is an aws default profile, but you could have multiple sections with profiles for more providers and accounts.


After creating the file with credentials in it, run the acct tool to encrypt the file:

$ acct encrypt creds.yml
New encrypted file created at: creds.yml.fernet
The file was encrypted with this key:

Now you have an encrypted credentials file and a key to access it. Keep the key in a safe place.

To run idem with credentials stored in the file, use the –acct-file and –acct-key options.

In addition, you can use the –acct-profile option to select a profile from within a credentials file that contains multiple profiles. In the example above, default is the account profile.

If there are multiple profiles, and you don’t supply the –acct-profile option, the default profile is used.

If you don’t want to pass account information as CLI options, you can set the following environment variables:

export ACCT_FILE=<full path to creds.yml.fernet>
export ACCT_KEY=<creds file encryption key>


Before an acct_file is encrypted, it will be passed through the specified acct render pipes. The default render pipe is “jinja|yaml”

$ idem encrypt credentials.yaml --render-pipe="jinja|yaml"


If no ACCT_KEY is provided, then acct will assume that the ACCT_FILE is unencrypted.

For states/exec modules to specify a custom acct render pipe, it needs to be specified in the idem config file.

# idem-config.cfg
  render_pipe: jinja|yaml


If the idem config file specifies allowed_backend_profiles, then only backend profiles with names in this list will be processed by acct. The default is to process ALL acct backend profiles.

The following config file shows 3 profiles that are allow-listed in the idem config file:

# idem-config.cfg
    - allowed_backend_profile_name_1
    - allowed_backend_profile_name_2
    - allowed_backend_profile_name_3

The following unencrypted credentials file has multiple profiles for account backends under the “vault” and “lastpass” providers. Each acct-backend profile contains other normal profiles for acct to use. For example, a vault acct-backend may connect to a vault data store that contains acct profiles for connecting to aws and azure. The vault acct-backend profile contains credentials for connecting to vault. The vault acct-backend plugin connects to vault and collects more credentials for idem projects from vault. Only profile names that match the “acct:allowed_backend_profiles” config option will be used to collect more credentials from the acct backend profiles. This way, a user can be selective about which acct-backend to use in the case of conflicts.

$ idem exec --acct-file=credentials.yaml --config=idem-config.cfg


The pop-serial plugin that is used by acct to serialize acct data before it is encrypted can be specified in the idem config file. The default plugin for serializing data in acct is “msgpack”:

# idem-config.cfg
  serial_plugin: msgpack