iann0036 / iamlive

Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy
MIT License
3.1k stars 107 forks source link

Certificate generation #63

Open khan-a1 opened 1 year ago

khan-a1 commented 1 year ago

Hi @iann0036 , awesome tool to begin with and thanks for sharing with the community. One thing I noticed is that when I run iamlive locally it generates the key pair in my home directory and works fine. But when I run it in a CICD pipeline in a container, it does not generate the certificates by default. I tried looking for them under the root home directory (the container runs under root user) and cant find them. Not sure why the behaviour is different. Would appreciate any pointers!

I have a work around where I download the keys on the fly but would like to avoid downloading them if possible. Thanks

iann0036 commented 1 year ago

Hey @khan-a1,

The tool will attempt to place the certificates in the home directory (here) of the user which runs it, unless the --ca-key and --ca-bundle arguments are passed in, in which it will generate or use the existing files from that location.

It will also attempt to create directories leading up to that location if they don't exist.

CI/CD agents may have permissions issues writing to or creating directories leading to the specific location. You may want to try using the --ca-key and --ca-bundle arguments to specify a location where you're confident the agent has write permissions to. It's also possible that as the root user, it's interpreting / as the root directory instead of /root/ - try checking to see if it's created /.iamlive/ instead.

khan-a1 commented 1 year ago

Thanks @iann0036, I tried using --ca-bundle and --ca-key but it does not create the files. I confirmed I am logged in as root and can create files and folders within the current folder and root home directory. With that context, when I run this command: iamlive_pid=$(iamlive --mode proxy --output-file policy.json --ca-bundle ca1.pem --ca-key ca1.key --bind-addr "0.0.0.0:10080" --background) I dont get any error and can see the PID:

echo $iamlive_pid
60

and these commands create the dummy directory and file

$ mkdir dummydir
$ touch dummy.txt

But when I run ls command I dont see the ca1.pem or ca1.key files generated, neither in local directory and nor in the root home directory or the bin directory where iamlive is running from. When I set the export AWS_CA_BUNDLE=ca1.pem and try to run AWS CLI commands, it complains about not being able to find the ca1.pem