1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
title: Introducing CredSummoner: A Lightweight Tool for Generating Temporary AWS Credentials
date: 2019-07-03 15:00:00
tags: aws, ruby, release
summary: Introducing a handy Ruby gem for generating temporary AWS credentials
---
Last week I attended a talk called "Account Automation and Temporary
AWS Credential Service" presented by two security engineers at Riot
Games during the AWS re:Inforce conference in Boston. During this
talk they released a neat tool called [Key
Conjurer](https://github.com/RiotGames/key-conjurer) under the Apache
2.0 license.
Key Conjurer handles temporary AWS credential generation by
integrating with an organization's chosen central identity
provider. It wasn't long into their presentation that I realized that
I had created almost the exact same tool last year. There are some
big implementation differences so I thought that it would be a good
idea to share my solution as well. The company I work for is not
nearly as big as Riot, so perhaps my solution will be better for small
teams. But for the uninitiated, let's start by explaining the problem
that Key Conjurer and my own tool solve.
## The case for temporary credentials
Managing "permanent" AWS credentials for a development team is
difficult. Establishing a good credential rotation rhythm (especially
when you have a lot of keys) is a chore and it's all too easy for a
developer to accidentally leak the keys with a `git push` or similar.
There are people that regularly scan public GitHub repos looking for
leaked AWS credentials.
The credential management problem only gets worse in a multi-account
environment. Each developer needs different credentials for each AWS
account in which they have an IAM user account. You might get by like
this for awhile, like I did, but eventually you have to do something
about it, so you reach for a central identity provider with SAML
support. My team chose Okta, but there are others to choose from.
So you setup an identity provider and it seems great. Now all the
developers with AWS access are in one place and they can easily access
the AWS web console for any account, but there's a problem: They still
need IAM users in each account in order to have usable credentials for
the AWS CLI and/or SDK.
At this point I began to understand what I really wanted: A command
line tool that could authenticate with the identity provider (Okta),
authenticate with AWS via SAML, then finally output a temporary set of
AWS credentials generated by the Security Token Service (STS). I
couldn't find any existing solution (and I guess neither could Riot's
security team) so I wrote my own. The tool was just a standalone
script that lived alongside other internal scripts in a Git
repository, but the Riot folks inspired me to make it a standalone
project. I hereby introduce
[CredSummoner](https://github.com/vhl/credsummoner)!
## Differences with Key Conjurer
There are some significant differences between CredSummoner and Key
Conjurer.
* CredSummoner is written in Ruby. Key Conjurer's CLI is written in
Go. Their CLI is quite a bit more user friendly, whereas mine is
decent but feels more like the quick hack it was. I'd like to
improve this in the future.
* Key Conjurer is a web service with a backend API service, a web UI
frontend, and some Terraform files to automate the creation of all
the infrastrucure. CredSummoner is just client-only tool (though of
course it uses Okta's and Amazon's servers to do stuff) and thus
much easier to get started with, IMO. It's not entirely clear to me
why Key Conjurer needs its own dedicated web service aside from
giving the security team insight into who is using it and how often.
At my company there is no other way for developers to get AWS
credentials so there's no need for metrics like that.
* Key Conjurer leaves out the identity provider backend so you can
plug in whatever your team uses. CredSummoner has built-in Okta
support, but there is no generic interface for plugging in a
different identity provider. Patches certainly welcome to address
this!
## Check it out
Install Ruby however you'd like (`apt install ruby` or whatever), then
run:
```
gem install credsummoner
```
See the
[README](https://github.com/vhl/credsummoner/blob/master/README.md)
for setup and usage instructions.
I hope someone out there finds CredSummoner useful!
|