Last week I attended a talk called "Account Automation and Temporary AWS Credential Service" presented by two security engineers at Riot Games during the AWS re:Inforce conference in Boston. During this talk they released a neat tool called Key Conjurer under the Apache 2.0 license.
Key Conjurer handles temporary AWS credential generation by integrating with an organization's chosen central identity provider. It wasn't long into their presentation that I realized that I had created almost the exact same tool last year. There are some big implementation differences so I thought that it would be a good idea to share my solution as well. The company I work for is not nearly as big as Riot, so perhaps my solution will be better for small teams. But for the uninitiated, let's start by explaining the problem that Key Conjurer and my own tool solve.
The case for temporary credentials
Managing "permanent" AWS credentials for a development team is
difficult. Establishing a good credential rotation rhythm (especially
when you have a lot of keys) is a chore and it's all too easy for a
developer to accidentally leak the keys with a git push
or similar.
There are people that regularly scan public GitHub repos looking for
leaked AWS credentials.
The credential management problem only gets worse in a multi-account environment. Each developer needs different credentials for each AWS account in which they have an IAM user account. You might get by like this for awhile, like I did, but eventually you have to do something about it, so you reach for a central identity provider with SAML support. My team chose Okta, but there are others to choose from.
So you setup an identity provider and it seems great. Now all the developers with AWS access are in one place and they can easily access the AWS web console for any account, but there's a problem: They still need IAM users in each account in order to have usable credentials for the AWS CLI and/or SDK.
At this point I began to understand what I really wanted: A command line tool that could authenticate with the identity provider (Okta), authenticate with AWS via SAML, then finally output a temporary set of AWS credentials generated by the Security Token Service (STS). I couldn't find any existing solution (and I guess neither could Riot's security team) so I wrote my own. The tool was just a standalone script that lived alongside other internal scripts in a Git repository, but the Riot folks inspired me to make it a standalone project. I hereby introduce CredSummoner!
Differences with Key Conjurer
There are some significant differences between CredSummoner and Key Conjurer.
CredSummoner is written in Ruby. Key Conjurer's CLI is written in Go. Their CLI is quite a bit more user friendly, whereas mine is decent but feels more like the quick hack it was. I'd like to improve this in the future.
Key Conjurer is a web service with a backend API service, a web UI frontend, and some Terraform files to automate the creation of all the infrastrucure. CredSummoner is just client-only tool (though of course it uses Okta's and Amazon's servers to do stuff) and thus much easier to get started with, IMO. It's not entirely clear to me why Key Conjurer needs its own dedicated web service aside from giving the security team insight into who is using it and how often. At my company there is no other way for developers to get AWS credentials so there's no need for metrics like that.
Key Conjurer leaves out the identity provider backend so you can plug in whatever your team uses. CredSummoner has built-in Okta support, but there is no generic interface for plugging in a different identity provider. Patches certainly welcome to address this!
Check it out
Install Ruby however you'd like (apt install ruby
or whatever), then
run:
gem install credsummoner
See the README for setup and usage instructions.
I hope someone out there finds CredSummoner useful!