Small Lambda function which performs a Aws:Sts:AssumeRole based on the presented JWT-Token

Related tags

lambda_token_auth
Overview

About

This implements a AWS Lambda handler which takes a JWT-Token, validates it and then performs a Aws:Sts:AssumeRole based on preconfigured rules. It's similar to the existing (offical) TokenAuthorizer but allows more complexity in it's configuration.

Practical usage could e.g. allow to authenticate a Gitlab-CI pipeline through the CI_JOB_JWT token without requiring additional long-term authentication credentials. The claims within the token allow very fine-grained control which is not possible otherwise.

Configuration

The lambda function is configured through environment variables, and a JSON document stored within S3. A list of rules is used to check whether the claims of a valid token match the criteria to allow granting a role.

Environment variables

  • CONFIG_BUCKET - (required) the S3 bucket name which contains the related configuration object
  • CONFIG_KEY - (required) the S3 object key which contains the JSON configuration
  • LOGLEVEL - (optional) loglevel - allowed values: Trace, Debug, Info, Warning, Error, Fatal and Panic

JSON configuration

{
    "jwks_url":"https://gitlab.com/-/jwks",                          // URL which contains required JWKs key information
    "role_annotations_enabled": true,                                // Also fetch IAM Role tags with could contain rules
    "role_annotation_prefix": "token_auth/",                         // IAM Role Tag-Prefix which is used for the embedded rules  
    "rules":[                                                        // List of rules which would allow the AssumeRole for certain tokens
        {
            "claim_values":{                                         // The required values which the token should present
                "namespace_id":"4"
            },
            "duration":1800,                                         // Duration of the created session
            "region":"us-east-1",
            "role":"arn:aws:iam::124567910112:role/some-role-arn"    // Arn of the role which we Assume for valid tokens
        }
    ]
}

Rule annotations

With role_annotations_enabled set to true, rules will also be fetched from IAM-Role tags. The related tags should be prefixed with role_annotation_prefix, the value of these tags should be the required claim values as base64 formatted JSON map.

Lambda IAM policy

The lambda itself also required some IAM configuration. It needs:

  • s3:GetObject permissions to read the configuration from the S3 bucket
  • iam:GetRole permissions on every role to read the roles tags - if role_annotations_enabled is true
  • it has to be part of the trust policy of the related roles which it should assume once the token is valid
Owner
AOE
AOE is a leading global provider of services for digital transformation and business models. AOE relies exclusively on established Enterprise Open Source...
AOE
This package provides json web token (jwt) middleware for goLang http servers

jwt-auth jwt auth middleware in goLang. If you're interested in using sessions, checkout my sessions library! README Contents: Quickstart Performance

Adam Hanna 204 Jul 23, 2021
The easiest JWT library to GO

JWT Go The easiest JWT Library that could be a starting point for your project. Installation go get github.com/supanadit/jwt-go Quick Start package ma

Supan Adit Pratama 16 Apr 21, 2021
A go implementation of JSON Web Tokens

jwt-go A go (or 'golang' for search engine friendliness) implementation of JSON Web Tokens NEW VERSION COMING: There have been a lot of improvements s

null 220 Jul 22, 2021
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

tarent 1.8k Jul 23, 2021
Small Lambda function which performs a Aws:Sts:AssumeRole based on the presented JWT-Token

About This implements a AWS Lambda handler which takes a JWT-Token, validates it and then performs a Aws:Sts:AssumeRole based on preconfigured rules.

AOE 4 Jul 16, 2021
Golang implementation of JSON Web Tokens (JWT)

jwt-go A go (or 'golang' for search engine friendliness) implementation of JSON Web Tokens NEW VERSION COMING: There have been a lot of improvements s

Dave Grijalva 9.8k Jul 25, 2021
simple-jwt-provider - Simple and lightweight provider which exhibits JWTs, supports login, password-reset (via mail) and user management.

Simple and lightweight JWT-Provider written in go (golang). It exhibits JWT for the in postgres persisted user, which can be managed via api. Also, a password-reset flow via mail verification is available. User specific custom-claims also available for jwt-generation and mail rendering.

Max 18 Jun 5, 2021
JSON Web Token library

About … a JSON Web Token (JWT) library for the Go programming language. Feature complete Full test coverage Dependency free Key management The API enf

Pascal S. de Kloe 257 Jul 1, 2021
Safe, simple and fast JSON Web Tokens for Go

jwt JSON Web Token for Go RFC 7519, also see jwt.io for more. The latest version is v3. Rationale There are many JWT libraries, but many of them are h

cristaltech 281 Jul 19, 2021
This is an implementation of JWT in golang!

jwt This is a minimal implementation of JWT designed with simplicity in mind. What is JWT? Jwt is a signed JSON object used for claims based authentic

John Rowley 90 Jun 13, 2021
Platform-Agnostic Security Tokens implementation in GO (Golang)

Golang implementation of PASETO: Platform-Agnostic Security Tokens This is a 100% compatible pure Go (Golang) implementation of PASETO tokens. PASETO

Oleg Lobanov 524 Jul 18, 2021
A standalone, specification-compliant, OAuth2 server written in Golang.

Go OAuth2 Server This service implements OAuth 2.0 specification. Excerpts from the specification are included in this README file to describe differe

Richard Knop 1.8k Jul 23, 2021
Simple JWT Golang

sjwt Simple JSON Web Token - Uses HMAC SHA-256 Example // Set Claims claims := New() claims.Set("username", "billymister") claims.Set("account_id", 86

Brian Voelker 92 Jul 4, 2021
Golang Mongodb Jwt Auth Example Using Echo

Golang Mongodb Jwt Auth Example Using Echo Golang Mongodb Rest Api Example Using Echo Prerequisites Golang 1.16.x Docker 19.03+ Docker Compose 1.25+ I

Şuayb Şimşek 5 Jun 24, 2021