Closed DanielGeshdo closed 4 years ago
iggbom
commented
4 years ago It is now possible to add a role ARN in the configuration. This will be used in order to try to assume role with the provided credentials. The credentials can also come from the system if a profile is configured but could also be configured directly just as before.
DanielGeshdo
commented
4 years ago Hi Jonas,
I am happy to here from you, sorry for my late reply, we have been at conference.
The DynamoDB TTL should work fine, lets try it out.
The assume role, here I am split. If you run a service with AWS you can assume any service as long as you have a role for it. We are not doing this since we run in an EKS cluster. My hope is this works as an EC2. When an EC2 need access to an service within AWS you attach a role on the EC2 with appropriate authorizations. My hope is we can do the same with the EKS cluster.
This mean you don’t need any authorization on you code, just call the DynamoDB, in the eks cluster I have an role saying write permission to DynamoDB.
Can we try this out?
Kind regards Daniel Larsson Mobile +46 (0) 768 46 39 10 Södra Förstadsgatan 22, 211 43 Malmö [geshdo_b]https://geshdo.com/
From: Jonas Iggbom notifications@github.com Sent: Monday, 14 September 2020 18:18 To: curityio/aws-token-publisher aws-token-publisher@noreply.github.com Cc: Daniel Larsson Daniel.Larsson@geshdo.com; Author author@noreply.github.com Subject: Re: [curityio/aws-token-publisher] Extend the AWS-token-publisher with assume role (#1)
It is now possible to add a role ARN in the configuration. This will be used in order to try to assume role with the provided credentials. The credentials can also come from the system if a profile is configured but could also be configured directly just as before.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/curityio/aws-token-publisher/issues/1#issuecomment-692163468, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQ57RRO7I7IGI2QGYAP6KI3SFY65JANCNFSM4RDDGPBA.
iggbom
commented
4 years ago Hi Daniel,
Thanks for you're reply and feedback.
The ability to use DynamoTTL is already implemented. If you pull the git repo you should get the new code. git pull && mvn clean && mvn package
The procedure I described for AssumeRole is also implemented so you get that with the updated code also. I will look in to the scenario you describe. Could be that it already works but I have to test it out.
Thanks
+1 708 285 2808 jonas@curity.io mailto:jonas@curity.io curity.io https://curity.io/
On Sep 15, 2020, at 3:09 AM, DanielGeshdo notifications@github.com wrote:
Hi Jonas,
I am happy to here from you, sorry for my late reply, we have been at conference.
The DynamoDB TTL should work fine, lets try it out.
The assume role, here I am split. If you run a service with AWS you can assume any service as long as you have a role for it. We are not doing this since we run in an EKS cluster. My hope is this works as an EC2. When an EC2 need access to an service within AWS you attach a role on the EC2 with appropriate authorizations. My hope is we can do the same with the EKS cluster.
This mean you don’t need any authorization on you code, just call the DynamoDB, in the eks cluster I have an role saying write permission to DynamoDB.
Can we try this out?
Kind regards Daniel Larsson Mobile +46 (0) 768 46 39 10 Södra Förstadsgatan 22, 211 43 Malmö [geshdo_b]https://geshdo.com/
From: Jonas Iggbom notifications@github.com Sent: Monday, 14 September 2020 18:18 To: curityio/aws-token-publisher aws-token-publisher@noreply.github.com Cc: Daniel Larsson Daniel.Larsson@geshdo.com; Author author@noreply.github.com Subject: Re: [curityio/aws-token-publisher] Extend the AWS-token-publisher with assume role (#1)
It is now possible to add a role ARN in the configuration. This will be used in order to try to assume role with the provided credentials. The credentials can also come from the system if a profile is configured but could also be configured directly just as before.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/curityio/aws-token-publisher/issues/1#issuecomment-692163468, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQ57RRO7I7IGI2QGYAP6KI3SFY65JANCNFSM4RDDGPBA. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/curityio/aws-token-publisher/issues/1#issuecomment-692514248, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADS7PZL26D3FOOJYNQE3TUTSF4HJVANCNFSM4RDDGPBA.
DanielGeshdo
commented
4 years ago Hi Jonas,
That sound good, can assume a service role for DynamoDB and then there is no need to Credentials anymore?
Kind regards Daniel Larsson Mobile +46 (0) 768 46 39 10 Södra Förstadsgatan 22, 211 43 Malmö [geshdo_b]https://geshdo.com/
From: Jonas Iggbom notifications@github.com Sent: Tuesday, 15 September 2020 15:29 To: curityio/aws-token-publisher aws-token-publisher@noreply.github.com Cc: Daniel Larsson Daniel.Larsson@geshdo.com; Author author@noreply.github.com Subject: Re: [curityio/aws-token-publisher] Extend the AWS-token-publisher with assume role (#1)
Hi Daniel,
Thanks for you're reply and feedback.
The ability to use DynamoTTL is already implemented. If you pull the git repo you should get the new code. git pull && mvn clean && mvn package
The procedure I described for AssumeRole is also implemented so you get that with the updated code also. I will look in to the scenario you describe. Could be that it already works but I have to test it out.
Thanks
+1 708 285 2808 jonas@curity.iomailto:jonas@curity.io mailto:jonas@curity.io curity.io https://curity.io/
On Sep 15, 2020, at 3:09 AM, DanielGeshdo notifications@github.com<mailto:notifications@github.com> wrote:
Hi Jonas,
I am happy to here from you, sorry for my late reply, we have been at conference.
The DynamoDB TTL should work fine, lets try it out.
The assume role, here I am split. If you run a service with AWS you can assume any service as long as you have a role for it. We are not doing this since we run in an EKS cluster. My hope is this works as an EC2. When an EC2 need access to an service within AWS you attach a role on the EC2 with appropriate authorizations. My hope is we can do the same with the EKS cluster.
This mean you don’t need any authorization on you code, just call the DynamoDB, in the eks cluster I have an role saying write permission to DynamoDB.
Can we try this out?
Kind regards Daniel Larsson Mobile +46 (0) 768 46 39 10 Södra Förstadsgatan 22, 211 43 Malmö [geshdo_b]https://geshdo.com/
From: Jonas Iggbom notifications@github.com<mailto:notifications@github.com> Sent: Monday, 14 September 2020 18:18 To: curityio/aws-token-publisher aws-token-publisher@noreply.github.com<mailto:aws-token-publisher@noreply.github.com> Cc: Daniel Larsson Daniel.Larsson@geshdo.com<mailto:Daniel.Larsson@geshdo.com>; Author author@noreply.github.com<mailto:author@noreply.github.com> Subject: Re: [curityio/aws-token-publisher] Extend the AWS-token-publisher with assume role (#1)
It is now possible to add a role ARN in the configuration. This will be used in order to try to assume role with the provided credentials. The credentials can also come from the system if a profile is configured but could also be configured directly just as before.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/curityio/aws-token-publisher/issues/1#issuecomment-692163468, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQ57RRO7I7IGI2QGYAP6KI3SFY65JANCNFSM4RDDGPBA. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/curityio/aws-token-publisher/issues/1#issuecomment-692514248, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADS7PZL26D3FOOJYNQE3TUTSF4HJVANCNFSM4RDDGPBA.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/curityio/aws-token-publisher/issues/1#issuecomment-692714649, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQ57RRLNMAIHY7ZDJ4YNCALSF5TY3ANCNFSM4RDDGPBA.
iggbom
commented
4 years ago Hi,
The scenario you described is now implemented (PR) and works for EC2 instances. I have not tested on EKS. This article suggests it does not work on EKS.
The final step in the default provider chain is available only when running your application on an Amazon EC2 instance. However, it provides the greatest ease of use and best security when working with Amazon EC2 instances.
When assigning an IAM role to the EC2 instance that has permissions to DynamoDB you don't have to configure Key, Secret, Role or Profile. Just set the Use Ec2 Instance Profile option to enabled in the configuration.
DanielGeshdo
commented
4 years ago Hej Jonas!
Hoppas allt är bra med dig.
Jag har nu installerat nya versionen av plugin aws-token-publisher. Det funkar utmärkt.
Jag har TTL på för databasen, allt ser bra ut där men jag ska titta så att den också resar token från tabellen.
Jag använder EC2 alternativet för mitt EKS kluster, första rundan glömde jag lägga på dynamoDB access för EKS kluster och då funkade split token för slutanvändare men inga token kom till tabellen.
Jag adderade DynamoDB access till klustret och testa igen och nu kommer token infomration till tabellen. Funkar jätte bra och vi slipper ha nycklar och användare. Stort tack för hjälpen.
Mvh Daniel Larsson Mobile +46 (0) 768 46 39 10 Södra Förstadsgatan 22, 211 43 Malmö [geshdo_b]https://geshdo.com/
From: Jonas Iggbom notifications@github.com Sent: Friday, 18 September 2020 20:34 To: curityio/aws-token-publisher aws-token-publisher@noreply.github.com Cc: Daniel Larsson Daniel.Larsson@geshdo.com; Author author@noreply.github.com Subject: Re: [curityio/aws-token-publisher] Extend the AWS-token-publisher with assume role (#1)
Closed #1https://github.com/curityio/aws-token-publisher/issues/1 via #4https://github.com/curityio/aws-token-publisher/pull/4.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/curityio/aws-token-publisher/issues/1#event-3783794181, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQ57RRNSYDSPM7FFRCC3DCTSGORZTANCNFSM4RDDGPBA.
Can you extend this plugin with assume role the AWS service is called AWS Security Token Service
Then you have the RoleArn as input parameter. If you do this we don't need to crate any system user for this with access_key which we need to rotate.
If you need more detail information about this don't hesitate to contact me.
Kind regards Daniel