stim aws login presents an unfiltered list of AWS accounts and roles to the user whether their vault token has access to them or not.
Solution
stim aws login now takes an optional --filter-prompts which when true causes stim to ask vault for the capabilities of the user's vault token to filter AWS accounts, and then again to filter the roles for the selected account.
Performance Impact
In my testing, presenting unfiltered AWS accounts takes 300ms, where presenting filtered AWS accounts takes 600ms. Presenting unfiltered roles takes 250ms where presenting filtered roles takes 500ms.
This is not surprising since we are adding 1 more call to vault to filter secrets paths for both AWS accounts and roles.
Implementation Details
Vault gains a Filter method which takes a list of secrets paths and returns a subset of that list of secrets paths for which the user's token has at least one of {"list", "read"} (configurable).
Vault gains a CapabilitiesSelf method which takes a list of secrets paths and returns the user's token's capabilities for each of those paths.
stim aws login gains a --filter-prompts option (default: false) when true uses Vault.Filter on the AWS mounts and roles. The aws.filter-prompts config file option may be set to true to gain the same behavior.
Vault HTTP API
The vault Golang client's CapabilitiesSelf is presently incompatible with the vault HTTP API's /sys/capabilities-self's response which returns a map, so we're using NewRequest/RawRequestWithContext to communicate with the HTTP API directly.
Create a vault token with limited AWS account access
Put that token in ~/.vault-token
go run main.go aws login --filter-prompts
Observe limited AWS accounts and roles lists
In my setup on vault 1.5.7, I had to create an orphan token in order to "remove" the vault-admin policy from my resultant tokens. A policy with list capability on sys/mounts is necessary as well, which in my setup was provided by a global-default policy.
So something like vault token create -policy="global-default" -policy="specific-aws-policy" -orphan="true" -ttl="30m" may be necessary for you to generate tokens with limited AWS access.
Problem
stim aws login
presents an unfiltered list of AWS accounts and roles to the user whether their vault token has access to them or not.Solution
stim aws login
now takes an optional--filter-prompts
which whentrue
causes stim to ask vault for the capabilities of the user's vault token to filter AWS accounts, and then again to filter the roles for the selected account.Performance Impact
In my testing, presenting unfiltered AWS accounts takes 300ms, where presenting filtered AWS accounts takes 600ms. Presenting unfiltered roles takes 250ms where presenting filtered roles takes 500ms.
This is not surprising since we are adding 1 more call to vault to filter secrets paths for both AWS accounts and roles.
Implementation Details
Vault
gains aFilter
method which takes a list of secrets paths and returns a subset of that list of secrets paths for which the user's token has at least one of{"list", "read"}
(configurable).Vault
gains aCapabilitiesSelf
method which takes a list of secrets paths and returns the user's token's capabilities for each of those paths.stim aws login
gains a--filter-prompts
option (default:false
) whentrue
usesVault.Filter
on the AWS mounts and roles. Theaws.filter-prompts
config file option may be set totrue
to gain the same behavior.Vault HTTP API
The vault Golang client's
CapabilitiesSelf
is presently incompatible with the vault HTTP API's/sys/capabilities-self
's response which returns a map, so we're usingNewRequest/RawRequestWithContext
to communicate with the HTTP API directly.Verifying Behavior
~/.vault-token
go run main.go aws login --filter-prompts
In my setup on vault 1.5.7, I had to create an orphan token in order to "remove" the
vault-admin
policy from my resultant tokens. A policy withlist
capability onsys/mounts
is necessary as well, which in my setup was provided by aglobal-default
policy.So something like
vault token create -policy="global-default" -policy="specific-aws-policy" -orphan="true" -ttl="30m"
may be necessary for you to generate tokens with limited AWS access.