diff options
author | David Thompson <dthompson@vistahigherlearning.com> | 2019-07-03 14:55:01 -0400 |
---|---|---|
committer | David Thompson <dthompson@vistahigherlearning.com> | 2019-07-03 14:55:01 -0400 |
commit | 8290f674d1076cd9a1eb11a67990cb1a2ec3a9b5 (patch) | |
tree | 4afe02ca8340bb61d549af58eba4bd818f6e6172 /posts | |
parent | 7ba4766bad2d6180639cf73d224a2df89636a4db (diff) |
Add new post.
Diffstat (limited to 'posts')
-rw-r--r-- | posts/2019-07-03-introducing-credsummoner.md | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/posts/2019-07-03-introducing-credsummoner.md b/posts/2019-07-03-introducing-credsummoner.md new file mode 100644 index 0000000..5709293 --- /dev/null +++ b/posts/2019-07-03-introducing-credsummoner.md @@ -0,0 +1,96 @@ +title: Introducing CredSummoner: A Lightweight Tool for Generating Temporary AWS Credentials +date: 2019-07-03 15:00:00 +tags: aws ruby +summary: Introducing a handy Ruby gem for generating temporary AWS credentials +--- + +Last week I attended a talk called "Account Automation and Temporary +AWS Credential Service" presented by two security engineers at Riot +Games during the AWS re:Inforce conference in Boston. During this +talk they released a neat tool called [Key +Conjurer](https://github.com/RiotGames/key-conjurer) under the Apache +2.0 license. + +Key Conjurer handles temporary AWS credential generation by +integrating with an organization's chosen central identity +provider. It wasn't long into their presentation that I realized that +I had created almost the exact same tool last year. There are some +big implementation differences so I thought that it would be a good +idea to share my solution as well. The company I work for is not +nearly as big as Riot, so perhaps my solution will be better for small +teams. But for the uninitiated, let's start by explaining the problem +that Key Conjurer and my own tool solve. + +## The case for temporary credentials + +Managing "permanent" AWS credentials for a development team is +difficult. Establishing a good credential rotation rhythm (especially +when you have a lot of keys) is a chore and it's all too easy for a +developer to accidentally leak the keys with a `git push` or similar. +There are people that regularly scan public GitHub repos looking for +leaked AWS credentials. + +The credential management problem only gets worse in a multi-account +environment. Each developer needs different credentials for each AWS +account in which they have an IAM user account. You might get by like +this for awhile, like I did, but eventually you have to do something +about it, so you reach for a central identity provider with SAML +support. My team chose Okta, but there are others to choose from. + +So you setup an identity provider and it seems great. Now all the +developers with AWS access are in one place and they can easily access +the AWS web console for any account, but there's a problem: They still +need IAM users in each account in order to have usable credentials for +the AWS CLI and/or SDK. + +At this point I began to understand what I really wanted: A command +line tool that could authenticate with the identity provider (Okta), +authenticate with AWS via SAML, then finally output a temporary set of +AWS credentials generated by the Security Token Service (STS). I +couldn't find any existing solution (and I guess neither could Riot's +security team) so I wrote my own. The tool was just a standalone +script that lived alongside other internal scripts in a Git +repository, but the Riot folks inspired me to make it a standalone +project. I hereby introduce +[CredSummoner](https://github.com/vhl/credsummoner)! + +## Differences with Key Conjurer + +There are a couple of significant differences between CredSummoner +and Key Conjurer. + +* CredSummoner is written in Ruby. Key Conjurer's CLI is written in + Go. Their CLI is quite a bit more user friendly, whereas mine is + decent but feels more like the quick hack it was. I'd like to + improve this in the future. + +* Key Conjurer is a web service with a backend API service, a web UI + frontend, and some Terraform files to automate the creation of all + the infrastrucure. CredSummoner is just client-only tool (though of + course it uses Okta's and Amazon's servers to do stuff) and thus + much easier to get started with, IMO. It's not entirely clear to me + why Key Conjurer needs its own dedicated web service aside from + giving the security team insight into who is using it and how often. + At my company there is no other way for developers to get AWS + credentials so there's no need for metrics like that. + +* Key Conjurer leaves out the identity provider backend so you can + plug in whatever your team uses. CredSummoner has built-in Okta + support, but there is no generic interface for plugging in a + different identity provider. Patches certainly welcome to address + this! + +## Check it out + +Install Ruby however you'd like (`apt install ruby` or whatever), then +run: + +``` +gem install credsummoner +``` + +See the +[README](https://github.com/vhl/credsummoner/blob/master/README.md) +for setup and usage instructions. + +I hope someone out there finds CredSummoner useful! |