Use Case
We have resources in AWS Account that only accessible using AWS Credential. Thus it is required to grant credential and access to the external entity that do not have AWS account.
One of the common practice is to authenticate and retrieve temporary credential from IAM Role. We can define some sort of IAM Policies and attach to the designated IAM Role, then let the entity to do sts-assume-role to it and get dynamic temporary STS credential - reference.
To do that in AWS environment is effortless, but not that straightforward for external non-AWS entities.
Solution and Summary
- We can setup AWS API Gateway + AWS Lambda that can receive HTTP request from whitelisted entities.
- Lambda can retrieve temporary credential by adding the instance_profile to the
Trusted Entities
inTrust Relationship
config for IAM Role - Result is the entity received temporary credential which by default only valid for
3600
seconds
Above solutions are already covered by this terraform module:
Currently terraform-aws-lambda-sts only support whitelisting via public IP and externalID
as additional authentication parameter.
Sample Request and Response for testing
Request:
curl -X POST \
https://<INVOKE URL of API Gateway> \
-H 'Content-Type: application/json' \
-d '{
"assumed_role_arn" : "arn:aws:iam::1234567890:role/SampleRole",
"token_duration" : 1800,
"external_id" "12312312391231893knjsdkakbsdnaksdjbak1231213",
}'
Response:
{
"Version": 1,
"AccessKeyId": "ASIA22OD7FLXHZ5ZFRXI",
"SecretAccessKey": "A7XSXJzgyoUb9u8R/kWB+kg3b1duGE/kBd58S2ft",
"SessionToken": "FwoGZXIvYXdzEHEaDFSm4muCfVBnkIEJ3yK3AZxaNCsP8Fs3r3a66SumCZXH2/jd3jrw7FuPdBPxto25WSlKFs14+T+Vim/hxPxeJFTtvDvyrP7OMJCUySLiiSsiVXmWneov/hoxQMm9xYzRxECwdpe3+LMV7y3CZ8om4HsbXvOnPJUwxV//r49fvaiu+3tMu09DQkKyMOn+OJLVmKTK0NpL5ytSAsD7MmqhdPDX9rKJoylumsRtyFFJBqxfuTXXjeyJDiIM3ngEo5E8FE0LvPuZPiirqLTvBTIta/EymgxiGTnJptCPD8ro7X1BaMntWVBb+dZtazXuyYzFY1MyMeY7Ix9XS8wC",
"Expiration": "2019-12-08T16:18:03Z"
}
Above request can be easily simulated by this tool:
It will provide more robust usage and detailed information for audit purpose. This will provide capability to retrieve credential from external process
You might find detailed setup and informations by following the README.
Feel free to contribute and raise any issue by following the guideline in each repositories.