summaryrefslogtreecommitdiff
path: root/posts
diff options
context:
space:
mode:
Diffstat (limited to 'posts')
-rw-r--r--posts/2019-07-03-introducing-credsummoner.md96
1 files changed, 96 insertions, 0 deletions
diff --git a/posts/2019-07-03-introducing-credsummoner.md b/posts/2019-07-03-introducing-credsummoner.md
new file mode 100644
index 0000000..5709293
--- /dev/null
+++ b/posts/2019-07-03-introducing-credsummoner.md
@@ -0,0 +1,96 @@
+title: Introducing CredSummoner: A Lightweight Tool for Generating Temporary AWS Credentials
+date: 2019-07-03 15:00:00
+tags: aws ruby
+summary: Introducing a handy Ruby gem for generating temporary AWS credentials
+---
+
+Last week I attended a talk called "Account Automation and Temporary
+AWS Credential Service" presented by two security engineers at Riot
+Games during the AWS re:Inforce conference in Boston. During this
+talk they released a neat tool called [Key
+Conjurer](https://github.com/RiotGames/key-conjurer) under the Apache
+2.0 license.
+
+Key Conjurer handles temporary AWS credential generation by
+integrating with an organization's chosen central identity
+provider. It wasn't long into their presentation that I realized that
+I had created almost the exact same tool last year. There are some
+big implementation differences so I thought that it would be a good
+idea to share my solution as well. The company I work for is not
+nearly as big as Riot, so perhaps my solution will be better for small
+teams. But for the uninitiated, let's start by explaining the problem
+that Key Conjurer and my own tool solve.
+
+## The case for temporary credentials
+
+Managing "permanent" AWS credentials for a development team is
+difficult. Establishing a good credential rotation rhythm (especially
+when you have a lot of keys) is a chore and it's all too easy for a
+developer to accidentally leak the keys with a `git push` or similar.
+There are people that regularly scan public GitHub repos looking for
+leaked AWS credentials.
+
+The credential management problem only gets worse in a multi-account
+environment. Each developer needs different credentials for each AWS
+account in which they have an IAM user account. You might get by like
+this for awhile, like I did, but eventually you have to do something
+about it, so you reach for a central identity provider with SAML
+support. My team chose Okta, but there are others to choose from.
+
+So you setup an identity provider and it seems great. Now all the
+developers with AWS access are in one place and they can easily access
+the AWS web console for any account, but there's a problem: They still
+need IAM users in each account in order to have usable credentials for
+the AWS CLI and/or SDK.
+
+At this point I began to understand what I really wanted: A command
+line tool that could authenticate with the identity provider (Okta),
+authenticate with AWS via SAML, then finally output a temporary set of
+AWS credentials generated by the Security Token Service (STS). I
+couldn't find any existing solution (and I guess neither could Riot's
+security team) so I wrote my own. The tool was just a standalone
+script that lived alongside other internal scripts in a Git
+repository, but the Riot folks inspired me to make it a standalone
+project. I hereby introduce
+[CredSummoner](https://github.com/vhl/credsummoner)!
+
+## Differences with Key Conjurer
+
+There are a couple of significant differences between CredSummoner
+and Key Conjurer.
+
+* CredSummoner is written in Ruby. Key Conjurer's CLI is written in
+ Go. Their CLI is quite a bit more user friendly, whereas mine is
+ decent but feels more like the quick hack it was. I'd like to
+ improve this in the future.
+
+* Key Conjurer is a web service with a backend API service, a web UI
+ frontend, and some Terraform files to automate the creation of all
+ the infrastrucure. CredSummoner is just client-only tool (though of
+ course it uses Okta's and Amazon's servers to do stuff) and thus
+ much easier to get started with, IMO. It's not entirely clear to me
+ why Key Conjurer needs its own dedicated web service aside from
+ giving the security team insight into who is using it and how often.
+ At my company there is no other way for developers to get AWS
+ credentials so there's no need for metrics like that.
+
+* Key Conjurer leaves out the identity provider backend so you can
+ plug in whatever your team uses. CredSummoner has built-in Okta
+ support, but there is no generic interface for plugging in a
+ different identity provider. Patches certainly welcome to address
+ this!
+
+## Check it out
+
+Install Ruby however you'd like (`apt install ruby` or whatever), then
+run:
+
+```
+gem install credsummoner
+```
+
+See the
+[README](https://github.com/vhl/credsummoner/blob/master/README.md)
+for setup and usage instructions.
+
+I hope someone out there finds CredSummoner useful!