Key Conjurer is a project designed to get rid of permanent AWS credentials. This was important to us as it brought down two related risks; compromise of permanent credentials and compromise of a users machines. Luckily, AWS provides their Security Token Service which allows users/services to generate temporary and just-in-time credentials. However, STS just handles the AWS side of the equation and we needed the process of generating tokens to be linked with both our identity provider and MFA. And for that we now have Key Conjurer.
Key Conjurer is made of three parts:
Key Conjurer currently supports the following identity providers and mfa services:
- Identity Providers:
- onelogin
- MFA:
- duo
Key Conjurer now supports the ability to provide temporary crendentials different cloud providers as well as being deployed on different platforms.
Currently supported credential providers are:
- AWS STS
Current platforms supported for deployment are:
- AWS
- Certificates - Make sure a certificate in ACM is requested with the desired hostname (the arn will be needed later)
aws acm request-certificate --domain-name <api domain> --validation-method EMAIL --region us-east-1
aws acm request-certificate --domain-name <frontend domain> --validation-method EMAIL --region us-east-1
- Make an S3 Bucket:
aws s3api create-bucket --bucket <terraform state bucket> --region us-west-2 --create-bucket-configuration LocationConstraint=us-west-2
- A VPC w/ Subnets to access service
- Setup a
KMS
key
- go 1.12.4+
- npm 6.4.1+
- node 10.10.0+
- tfswitch
Create prod.env
based on example.env
.
Variable | Purpose |
---|---|
EncryptedSettings | A KMS encrypted json blob with settings (See below for more info) |
AWSRegion | Used for KMS Region. Typically the same region KeyConjuer is in |
The encrypted settings are a JSON blob with the following keys.
{
"awsKmsKeyId": "abc...",
"oneLoginReadUserId": "def...",
"oneLoginReadUserSecret": "ghi...",
"oneLoginSamlId": "jkl...",
"oneLoginSamlSecret": "lmn...",
"oneLoginShard": "opq...",
"oneLoginSubdomain": "rst..."
}
Variable | Purpose |
---|---|
awsKmsKeyId | The KMS key to encrypt information with |
oneLoginReadUserId | OneLogin key with read user permissions |
oneLoginReadUserSecret | Secret key for oneLoginReadUserId |
oneLoginSamlId | OneLogin key with SAML permissions |
oneLoginSamlSecret | Secret key for oneLoginSamlId |
oneLoginShard | OneLogin shard to talk with |
oneLoginSubdomain | OneLogin subdomain |
They are encrypted so users with access to the lambdas cannot see the secrets
These steps assume you created prod.env
as instructed above.
source prod.env
make build deploy
When Deploying to AWS Ensure the IAM role provisioned by terraform
has access to use the KMS
key created above
source prod.env
make deploy
frontend
serves the CLI tool. This means the binaries created in cli
need to be uploaded to the same bucket that's used to serve the frontend.
All pieces of Key Conjurer have been made extensible where possible and use configuration values to select the right plugin.
Adding any new supported authenticator, MFA provider, or cloud provider should be as easy as developing a struct that implemented the given interfaces and ensureing that the interface constructer understands how to initializer and return the new struct.
This section aims to provide details on non-obvious decisions that may impact how one develops and deploys their own plugin.
KeyConjurer works by sending credentials from the CLI to the server. The server authenticates these credentials, locates all the accounts available for the user, and then returns all of this information, in addition to returning an encrypted version of the credentials for storage by the client.
This is done so that the credentials may be stored on file on the user's machine and later accessed without having to worry about file permissions (as some platforms have better permission support than others).
Encryption was previously tied to the Provider
interface listed above, but it is now decoupled. You may add an encryption provider by adhering to the CryptoProvider interface and then using that provider when creating your lambda handler. This will require modification of the codebase for now, and is not configurable via environment variable or compiler switch.
We'll happily accept a pull request making the use of encryption providers a choice at runtime.