Add new post.

1 files changed, 96 insertions, 0 deletions

diff --git a/posts/2019-07-03-introducing-credsummoner.md b/posts/2019-07-03-introducing-credsummoner.md
new file mode 100644
index 0000000..5709293
--- /dev/null
+++ b/posts/2019-07-03-introducing-credsummoner.md
@@ -0,0 +1,96 @@
+title: Introducing CredSummoner: A Lightweight Tool for Generating Temporary AWS Credentials
+date: 2019-07-03 15:00:00
+tags: aws ruby
+summary: Introducing a handy Ruby gem for generating temporary AWS credentials
+---
+
+Last week I attended a talk called "Account Automation and Temporary
+AWS Credential Service" presented by two security engineers at Riot
+Games during the AWS re:Inforce conference in Boston.  During this
+talk they released a neat tool called [Key
+Conjurer](https://github.com/RiotGames/key-conjurer) under the Apache
+2.0 license.
+
+Key Conjurer handles temporary AWS credential generation by
+integrating with an organization's chosen central identity
+provider. It wasn't long into their presentation that I realized that
+I had created almost the exact same tool last year.  There are some
+big implementation differences so I thought that it would be a good
+idea to share my solution as well.  The company I work for is not
+nearly as big as Riot, so perhaps my solution will be better for small
+teams.  But for the uninitiated, let's start by explaining the problem
+that Key Conjurer and my own tool solve.
+
+## The case for temporary credentials
+
+Managing "permanent" AWS credentials for a development team is
+difficult.  Establishing a good credential rotation rhythm (especially
+when you have a lot of keys) is a chore and it's all too easy for a
+developer to accidentally leak the keys with a `git push` or similar.
+There are people that regularly scan public GitHub repos looking for
+leaked AWS credentials.
+
+The credential management problem only gets worse in a multi-account
+environment.  Each developer needs different credentials for each AWS
+account in which they have an IAM user account.  You might get by like
+this for awhile, like I did, but eventually you have to do something
+about it, so you reach for a central identity provider with SAML
+support.  My team chose Okta, but there are others to choose from.
+
+So you setup an identity provider and it seems great. Now all the
+developers with AWS access are in one place and they can easily access
+the AWS web console for any account, but there's a problem: They still
+need IAM users in each account in order to have usable credentials for
+the AWS CLI and/or SDK.
+
+At this point I began to understand what I really wanted: A command
+line tool that could authenticate with the identity provider (Okta),
+authenticate with AWS via SAML, then finally output a temporary set of
+AWS credentials generated by the Security Token Service (STS).  I
+couldn't find any existing solution (and I guess neither could Riot's
+security team) so I wrote my own.  The tool was just a standalone
+script that lived alongside other internal scripts in a Git
+repository, but the Riot folks inspired me to make it a standalone
+project.  I hereby introduce
+[CredSummoner](https://github.com/vhl/credsummoner)!
+
+## Differences with Key Conjurer
+
+There are a couple of significant differences between CredSummoner
+and Key Conjurer.
+
+* CredSummoner is written in Ruby.  Key Conjurer's CLI is written in
+  Go.  Their CLI is quite a bit more user friendly, whereas mine is
+  decent but feels more like the quick hack it was.  I'd like to
+  improve this in the future.
+
+* Key Conjurer is a web service with a backend API service, a web UI
+  frontend, and some Terraform files to automate the creation of all
+  the infrastrucure.  CredSummoner is just client-only tool (though of
+  course it uses Okta's and Amazon's servers to do stuff) and thus
+  much easier to get started with, IMO.  It's not entirely clear to me
+  why Key Conjurer needs its own dedicated web service aside from
+  giving the security team insight into who is using it and how often.
+  At my company there is no other way for developers to get AWS
+  credentials so there's no need for metrics like that.
+
+* Key Conjurer leaves out the identity provider backend so you can
+  plug in whatever your team uses.  CredSummoner has built-in Okta
+  support, but there is no generic interface for plugging in a
+  different identity provider.  Patches certainly welcome to address
+  this!
+
+## Check it out
+
+Install Ruby however you'd like (`apt install ruby` or whatever), then
+run:
+
+```
+gem install credsummoner
+```
+
+See the
+[README](https://github.com/vhl/credsummoner/blob/master/README.md)
+for setup and usage instructions.
+
+I hope someone out there finds CredSummoner useful!