stim aws login presents an unfiltered list of AWS accounts and roles to the user whether their vault token has access to them or not.
Solution
stim aws login now takes an optional --filter-prompts which when true causes stim to ask vault for the capabilities of the user's vault token to filter AWS accounts, and then again to filter the roles for the selected account.
Performance Impact
In my testing, presenting unfiltered AWS accounts takes 300ms, where presenting filtered AWS accounts takes 600ms. Presenting unfiltered roles takes 250ms where presenting filtered roles takes 500ms.
This is not surprising since we are adding 1 more call to vault to filter secrets paths for both AWS accounts and roles.
Implementation Details
Vault gains a Filter method which takes a list of secrets paths and returns a subset of that list of secrets paths for which the user's token has at least one of {"list", "read"} (configurable).
Vault gains a CapabilitiesSelf method which takes a list of secrets paths and returns the user's token's capabilities for each of those paths.
stim aws login gains a --filter-prompts option (default: false) when true uses Vault.Filter on the AWS mounts and roles. The aws.filter-prompts config file option may be set to true to gain the same behavior.
Vault HTTP API
The vault Golang client's CapabilitiesSelf is presently incompatible with the vault HTTP API's /sys/capabilities-self's response which returns a map, so we're using NewRequest/RawRequestWithContext to communicate with the HTTP API directly.
Create a vault token with limited AWS account access
Put that token in ~/.vault-token
go run main.go aws login --filter-prompts
Observe limited AWS accounts and roles lists
In my setup on vault 1.5.7, I had to create an orphan token in order to "remove" the vault-admin policy from my resultant tokens. A policy with list capability on sys/mounts is necessary as well, which in my setup was provided by a global-default policy.
So something like vault token create -policy="global-default" -policy="specific-aws-policy" -orphan="true" -ttl="30m" may be necessary for you to generate tokens with limited AWS access.
Problem
stim aws loginpresents an unfiltered list of AWS accounts and roles to the user whether their vault token has access to them or not.Solution
stim aws loginnow takes an optional--filter-promptswhich whentruecauses stim to ask vault for the capabilities of the user's vault token to filter AWS accounts, and then again to filter the roles for the selected account.Performance Impact
In my testing, presenting unfiltered AWS accounts takes 300ms, where presenting filtered AWS accounts takes 600ms. Presenting unfiltered roles takes 250ms where presenting filtered roles takes 500ms.
This is not surprising since we are adding 1 more call to vault to filter secrets paths for both AWS accounts and roles.
Implementation Details
Vaultgains aFiltermethod which takes a list of secrets paths and returns a subset of that list of secrets paths for which the user's token has at least one of{"list", "read"}(configurable).Vaultgains aCapabilitiesSelfmethod which takes a list of secrets paths and returns the user's token's capabilities for each of those paths.stim aws logingains a--filter-promptsoption (default:false) whentrueusesVault.Filteron the AWS mounts and roles. Theaws.filter-promptsconfig file option may be set totrueto gain the same behavior.Vault HTTP API
The vault Golang client's
CapabilitiesSelfis presently incompatible with the vault HTTP API's/sys/capabilities-self's response which returns a map, so we're usingNewRequest/RawRequestWithContextto communicate with the HTTP API directly.Verifying Behavior
~/.vault-tokengo run main.go aws login --filter-promptsIn my setup on vault 1.5.7, I had to create an orphan token in order to "remove" the
vault-adminpolicy from my resultant tokens. A policy withlistcapability onsys/mountsis necessary as well, which in my setup was provided by aglobal-defaultpolicy.So something like
vault token create -policy="global-default" -policy="specific-aws-policy" -orphan="true" -ttl="30m"may be necessary for you to generate tokens with limited AWS access.