Introducing CredSummoner: A Lightweight Tool for Generating Temporary AWS Credentials

July 03, 2019

Last week I attended a talk called "Account Automation and Temporary AWS Credential Service" presented by two security engineers at Riot Games during the AWS re:Inforce conference in Boston. During this talk they released a neat tool called Key Conjurer under the Apache 2.0 license.

Key Conjurer handles temporary AWS credential generation by integrating with an organization's chosen central identity provider. It wasn't long into their presentation that I realized that I had created almost the exact same tool last year. There are some big implementation differences so I thought that it would be a good idea to share my solution as well. The company I work for is not nearly as big as Riot, so perhaps my solution will be better for small teams. But for the uninitiated, let's start by explaining the problem that Key Conjurer and my own tool solve.

The case for temporary credentials

Managing "permanent" AWS credentials for a development team is difficult. Establishing a good credential rotation rhythm (especially when you have a lot of keys) is a chore and it's all too easy for a developer to accidentally leak the keys with a git push or similar. There are people that regularly scan public GitHub repos looking for leaked AWS credentials.

The credential management problem only gets worse in a multi-account environment. Each developer needs different credentials for each AWS account in which they have an IAM user account. You might get by like this for awhile, like I did, but eventually you have to do something about it, so you reach for a central identity provider with SAML support. My team chose Okta, but there are others to choose from.

So you setup an identity provider and it seems great. Now all the developers with AWS access are in one place and they can easily access the AWS web console for any account, but there's a problem: They still need IAM users in each account in order to have usable credentials for the AWS CLI and/or SDK.

At this point I began to understand what I really wanted: A command line tool that could authenticate with the identity provider (Okta), authenticate with AWS via SAML, then finally output a temporary set of AWS credentials generated by the Security Token Service (STS). I couldn't find any existing solution (and I guess neither could Riot's security team) so I wrote my own. The tool was just a standalone script that lived alongside other internal scripts in a Git repository, but the Riot folks inspired me to make it a standalone project. I hereby introduce CredSummoner!

Differences with Key Conjurer

There are some significant differences between CredSummoner and Key Conjurer.

Check it out

Install Ruby however you'd like (apt install ruby or whatever), then run:

gem install credsummoner

See the README for setup and usage instructions.

I hope someone out there finds CredSummoner useful!