No need for IAM users when we have Yubikeys

Overview

cloudkey

As far as I can tell, the only justification for AWS IAM users that I hear nowadays is for usage on non-interactive systems outside of AWS, e.g. a Raspberry Pi in your closet. This repo uses the little-known iot:AssumeRoleWithCertificate functionality to avoid that.

Specifically, it uses the "card authentication" slot on a Yubikey to store a TLS certificate and private key. This slot can be used to sign requests without a PIN or touch - perfect for the Raspberry Pi use case.

Can you think of any other use cases for IAM users? I'd love to hear them. Please open an issue on this repo and let me know!

Usage

# this command enrols the currently attached Yubikey as an identity that can
# assume two IAM roles.
    --identity unique-name-for-this-identity \
    --role role-name-that-can-be-assumed \
    --role maybe-a-second-role-name-too
    
# this command returns temporary IAM credentials in the format expected by the
# aws cli and sdks. 
$ cloudkey credentials role-name-that-can-be-assumed

# the above command is expected to be used in ~/.aws/config and look like the 
# following:
#
# [profile my-profile]
# credential_process = cloudkey credentials 
   
    
#
# usage:
$ aws s3 ls --profile my-profile 

   
You might also like...
An experiment which attempts to create streams similar to what is available in Java now that we have generics in Go.

go-streams An experiment which attempts to create streams similar to what is available in Java now that we have generics. Should I use this library? N

A pay later service to allow our users to buy goods from a merchant now, and then allow them to pay for those goods at a later date.

simple-pay-later A pay later service to allow our users to buy goods from a merchant now, and then allow them to pay for those goods at a later date.

This tool is helpful to get information of the Instagram Users

InstaOsint This tool is used to get the public accounts as well as Private accounts like their username, userid, Full_Name, followers and following co

Is a microservice which provides payment token service for application users.

Tulip Is a microservice which provides payment token service for application users. Description A transactional-based token usually used for transacti

Pulumi-aws-iam - Reusable IAM modules for AWS

xyz Pulumi Component Provider (Go) This repo is a boilerplate showing how to cre

Contact-api - API for websites I have designed that have to send unauthenticated email

contact https://aws.amazon.com/premiumsupport/knowledge-center/custom-headers-ap

Scrappy is a cli tool that allows multiple web scrappers to monitor periodically for a basic ruleset coverage and inform users when the criteria have been met.

Scrappy - A multi-type web scrapper with alerting Scrappy is a cli tool that allows multiple web scrappers to monitor periodically for a basic ruleset

The runner project is to create an interface for users to run their code remotely without having to have any compiler on their machine
The runner project is to create an interface for users to run their code remotely without having to have any compiler on their machine

The runner project is to create an interface for users to run their code remotely without having to have any compiler on their machine. This is a work in progress project for TCSS 401X :)

CLI for SendGrid, which helps in managing SSO users, can install and update users from yaml config

Sendgrid API This script is needed to add new users to SendGrid as SSO teammates. Previously, all users were manually added and manually migrating the

An restful api that uses CRUDL to support user endpoints. Stores the users in mysqlite. Creates 10 users when the program starts.

UserAPI An restful api that uses CRUDL to support user endpoints. Stores the users in mysqlite. Creates 10 users when the program starts. How to start

Omh-users-management - A go microservice that can enables us to create, modify, fetch, and delete users

Users Management System A go microservice that can enables us to create, modify, fetch, and delete users Usage To Run the application $ go run main.

Creates a linux group of users synced to your Google Workspace users and automatically imports their public SSH keys.
Creates a linux group of users synced to your Google Workspace users and automatically imports their public SSH keys.

Creates a linux group of users synced to your Google Workspace users and automatically imports their public SSH keys.

Terraform provider for Policy Sentry (IAM least privilege generator and auditor)

terraform-provider-policyguru This is the Terraform Provider for Policy Sentry - the IAM Least Privilege Policy Generator. We have Policy Sentry hoste

Generate a basic IAM policy from AWS client-side monitoring (CSM)
Generate a basic IAM policy from AWS client-side monitoring (CSM)

iamlive Generate a basic IAM policy from AWS client-side monitoring (CSM) Installation Pre-built binaries Pre-built binaries for Windows, macOS and Li

Assume AWS IAM roles from GitHub Actions workflows with no stored secrets
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

BK-IAM is a centralized permission management service provided by The Tencent BlueKing; based on ABAC

(English Documents Available) Overview 蓝鲸权限中心(BK-IAM)是蓝鲸智云提供的集中权限管理服务,支持基于蓝鲸开发框架的SaaS和企业第三方系统的权限控制接入,以及支持细粒度的权限管理。 架构设计 代码目录 Features 蓝鲸权限中心是基于 ABAC 强

BigQuery Dataset to query IAM Roles-Permissions daily changes
BigQuery Dataset to query IAM Roles-Permissions daily changes

Google Cloud IAM Roles-Permissions Public Dataset Bigquery DataSet that contains a daily snapshot of all Standard Google Cloud IAM Roles and Permissio

Scaffold to help building Terraform Providers using AWS IAM authentication.

Terraform Provider Scaffolding This repository is a template for a Terraform provider. It is intended as a starting point for creating Terraform provi

Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh 🍊 on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Comments
  • Discussion thread

    Discussion thread

    1. Ideally the ThingName is the cert subject. This should remain durable across cert expirations.
    2. I don't think identities or certs make sense as CloudFormation resources, as they are high-cardinality data, in the same way I don't expect IdP directories to be managed with IaC.
    3. I can't see any reasons for role aliases to be anything other than the role name.
    4. Should I be able to manage an identity/role relationship individually, or is it only identity/roleList? If the latter, are people going to be doing read/write cycles always? If the former, do we need to handle concurrent access?
    5. An alternative approach would be to keep a DynamoDB table as the source of truth for the identity/role association and make IoT changes from the DynamoDB stream.
    opened by benkehoe 5
  • Document how to prepare the Yubikey and IAM role

    Document how to prepare the Yubikey and IAM role

    Hello!

    I'm trying out cloudkey with a Yubikey 5C NFC on Mac OS and I'm experiencing a few issues / things I had to find out by myself that I'd love to contribute to in the documentation. Let me know what you think!

    image

    Enrollment

    When running cloudkey, here's what I get:

    $ ./cloudkey enrol --identity yubikey --role breakglass
    Enter your PIN for 'Yubico YubiKey CCID':
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x460609c]
    
    goroutine 1 [running]:
    github.com/aidansteele/cloudkey/cmds.EnrolCmd(0xc000358280, {0x4785981?, 0x4?, 0x4?})
    	/Users/christophe/workspace/cloudkey/cmds/enrol_cmd.go:57 +0x4bc
    

    To make it work, I had to follow the following:

    1. Set a non-default PIN code for the PIV interface
    ykman piv access change-pin --pin 123456 --new-pin XXXX
    
    1. Generate a new management key:
    $ ykman piv access change-management-key --generate --protect
    Enter the current management key [blank to use default key]:
    Enter PIN: XXXX
    
    1. Then only enrollment worked:
    $ ./cloudkey enrol --identity yubikey --role breakglass2
    Generated new private key in card authentication slot
    Verified that private key is stored in Yubico device
    Sending certificate signing request to AWS IoT
    Received certificate from AWS IoT with ID: 715bf1e65ebdaeab78a130ea11c23fcac32020307eca06473149f480c348ad46
    Stored certificate on device
    Attached role names: breakglass2
    

    Credentials

    I wasn't familiar with IoT so I had to search around to understand how to make it work.

    1. Create an IAM role with the following trust policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "credentials.iot.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
    

    for better security and to avoid relying on the IoT authorization, you can also specify the specific certificate ID of the Yubikey:

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"Service": "credentials.iot.amazonaws.com"
    			},
    			"Action": "sts:AssumeRole",
    			"Condition": {
    			    "StringEquals": {
    			        "sts:RoleSessionName": "715bf1e65ebdaeab78a130ea11c23fcac32020307eca06473149f480c348ad46"
    			    }
    			}
    		}
    	]
    }
    
    1. Then run cloudkey credentials breakglass2

    Requiring touch

    I wasn't able to find how to require a touch to retrieve credentials. Any idea?

    Thanks!

    opened by christophetd 0
Owner
Aidan Steele
Aidan Steele
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

Glass Echidna 171 Feb 12, 2022
Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh ?? on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Patrick Kilgore 3 Apr 8, 2022
A Pulumi multi language component to create an IAM role for an EKS cluster

xyz Pulumi Component Provider (Go) This repo is a boilerplate showing how to create a Pulumi component provider written in Go. You can search-replace

Lee Briggs 0 Oct 27, 2021
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Ari Palo 18 Oct 27, 2022
lightweight, self-service AWS IAM management

Contents Overview Architecture Prerequisites Workflow What groups exist? Who do I ask for access? What groups am I in? How do I add group members? How

Mike Hoskins 0 Jan 16, 2022
Send IAM-signed requests to AppSync and API Gateway

golang-iam-requests Provides helpers to send IAM-signed requests to AWS AppSync and AWS API Gateway services Generates a v4 sign using IAM credentials

Aurélien 1 Apr 21, 2022
null 2 Feb 7, 2022
Need an overpowered, automated spammer CLI to impress / unimpress your friends? This is it!

spammer Need an overpowered, automated spammer CLI to impress / unimpress your friends? This is it! Install git clone https://github.com/quackduck/spa

Ishan Goel 5 Aug 10, 2022
Assumes roles in AWS that have useful role session tags

ghaoidc Assumes roles in AWS that have useful role session tags GitHub Actions has (almost) launched OpenID Connect federation. This means you can ass

Glass Echidna 37 Jul 21, 2022
This repository will have code implemented for the 100 days of golang.

golang_100 This repository will have code implemented for the 100 days of golang. The resources I will use to do this 100 days golang programming are:

Vasileios Tsakalos 0 Jan 10, 2022