search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
680 stars 289 forks source link

SSO profiles don't seem to be working #2185

Closed gfou-al closed 2 years ago

gfou-al commented 2 years ago

The issue with the bastion host key change warning (https://github.com/ministryofjustice/modernisation-platform/issues/1307) has been resolved with this PR https://github.com/ministryofjustice/modernisation-platform/pull/2181.

However, I was not able to use an SSO profile to connect to the bastion as documented here: https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/accessing-ec2s.html#accessing-ec2s

~/.aws/config

[profile glados-test-developer]
sso_start_url = https://moj.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 123456789
sso_role_name = modernisation-platform-developer
region = eu-west-2
output = json

~/.ssh/config

Host glados-test-bastion
     StrictHostKeyChecking no
     UserKnownHostsFile /dev/null
     LogLevel QUIET
     IdentityFile ~/.ssh/id_rsa
     User jane
     ProxyCommand sh -c "aws ssm start-session --target $(aws ec2 describe-instances --no-cli-pager --filters "Name=tag:Name,Values=bastion_linux" --query 'Reservations[0].Instances[0].InstanceId' --profile glados-test-developer) --document-name AWS-StartSSHSession --parameters 'portNumber=%p' --profile glados-test-developer --region eu-west-2"

To reproduce the issue, follow these steps:

aws sso login --profile glados-test-developer
ssh glados-test-bastion

Or, to narrow it down a bit further, follow the steps:

aws sso login --profile sprinkler-development-sso
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-west-2.amazonaws.com/

Then enter the code:

DLDN-BGJM
Successfully logged into Start URL: https://moj.awsapps.com/start

aws ec2 describe-instances --no-cli-pager --profile sprinkler-development-sso
An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access

Instead, I used an IAM profile in ~/.aws/config, for example:

[profile sprinkler-development]
source_profile=mod-root
role_arn=arn:aws:iam::348456244381:role/ModernisationPlatformAccess
mfa_serial=arn:aws:iam::946070829339:mfa/george.fountopoulos-superadmin
role_session_name=george.fountopoulos-superadmin
region=eu-west-2

And used the above profile for the ProxyCommand inside the .ssh/config.

I am unsure if we should update the documentation to use an IAM profile instead of an SSO profile, but that's what made it working for me locally in order to be able to test. Another question is, how the SSO profile worked in the first place and what made it stop working. I created a PR for the ops team to revert the sso:GetRoleCredentials permission from modernisation_platform_developer policy because it did not help resolving the issue with the SSO profile: https://github.com/ministryofjustice/aws-root-account/pull/581

SteveLinden commented 2 years ago

My SSO appears to be working OK. However, I do get the same error when I try to use the aws ssm start-session command with "An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access"

SteveLinden commented 2 years ago

We've been looking at it and regardless of which server you use when logging in it always picks one, not the one you want. So when you attempt to connect it errors because you are not connected to the server you expect. Still looking at it

dms1981 commented 2 years ago

Can you update our guidance document based on what we've found?

SteveLinden commented 2 years ago

Doing further investigation. Found I connect to core-vpc-sandbox (not sure why) as terraform and the policies against this ID are terraform AllowServiceLinkedRole which probably doesn't provide enough access to change accounts/roles etc.

gfou-al commented 2 years ago

https://github.com/ministryofjustice/modernisation-platform/pull/2303

SteveLinden commented 2 years ago

In my case I created a new key and added this to the mod platform environments and the ssh started to work.

SteveLinden commented 2 years ago

As it's now working I will move this to closed. There was an issue with the NACL change stopping keys being sent through but mine was the key no longer worked (swapped laptop since they were generated) and new ones solved this issue.