Cloudcreds
Secure access to your organization's AWS accounts for both programmatic and console use-case via federated identity
- ✅ Credentials are short-lived (Min: 1h, Max: 12h)
- ✅ Fine-grained RBAC (via Google Admin CustomSchemas)
- ✅ Easy deployment (via docker, kustomize and executables)
Demo 👇
Getting Started
Create an OAuth Client
Create a Google Oauth Client by following this tutorial: https://support.google.com/cloud/answer/6158849?hl=en
Make sure it's an internal app usable only by your hosted domain, i.e: Emails with domain pointing to "acme.com".
Also, generate a client credential and whitelist the following redirect URI which will be pointing to the cloudcreds server.
https://$CLOUDCREDS_SERVER_URL/callback
Create an IAM Role for Web Identity
Create an IAM role on AWS with any permissions you'd like to grant this role. Next, attach a trust policy between this role and your OAuth Client to allow it to be assumed with a Web Identity.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "<google-oauth-client-id>"
}
}
},
]
}
Attach IAM Roles to GSuite Users
Follow this tutorial to create a custom attribute for your users: https://support.google.com/a/answer/6208725?hl=en
Category has to be named as Amazon Web Service
Once that's done, attach any IAM role that has the correct trust policy attached to it:
Setup Server
If you're using docker or any container based platform you may do so like this:
docker run \
-e CLOUDCREDS_SERVER_CLIENT_ID=<google-oauth-client-id> \
-e CLOUDCREDS_SERVER_CLIENT_SECRET=<google-oauth-client-secret> \
-e CLOUDCREDS_SERVER_HOSTED_DOMAIN=acme.com \
imranismail/cloudcreds:v1 serve
If you want to test this out locally. Create a file in ~/.cloudcreds.yaml
with the following content
server:
client_id: "<google-oauth-client-id>"
client_secret: "<google-oauth-client-secret>"
hosted_domain: "acme.com"
Run cloudcreds serve
to fire up a local server
Assume A Role
Create a file in ~/.cloudcreds.yaml
with the following content:
client:
url: "http://127.0.0.1:1338"
server_url: "http://127.0.0.1:1337"
Then you can use one of the following commands to access AWS
cloudcreds login
or
cloudcreds console
Do the whole OAuth dance and once that's done you will be shown a page to select a role:
Assuming a role will either output the credentials to your CLI or redirect you to AWS Console
Full Config Reference
All values are default
# debug flag
debug: false
client:
# Local URL to host and open the temporary client-server to initiate auth with cloudcreds server
url: "http://127.0.0.1:1338"
# cloudcreds server URL
server_url: "http://127.0.0.1:1337"
server:
# public URL of the server
url: "https://cloudcreds.internal.acme.com"
# hostname to be bind
hostname: "127.0.0.1"
# port to be bind
port: 1337
# key used to encrypt cookie session
session_key: please-set-this-to-a-high-entropy-string
# oauth credentials, you can follow along this tutorial to generate them:
# https://support.google.com/cloud/answer/6158849
client_credentials: |
{}
# service account credentials, you can follow along this tutorial to generate them:
# https://developers.google.com/admin-sdk/directory/v1/guides/delegation
service_account_key: |
{}
hosted_domain: "acme.com"
Environment Variables
Any of the configs provided can be overridden using Environment Variables with the following convention:
CLOUDCREDS_SERVER_HOSTED_DOMAIN="acme.com"