So it turns out it is possible. I highly recommend anybody not using it yet to
look into it. Not doing this is the equivalent of having non-password
protected ssh keys floating around... It is actually worse because people are
semi-counscious that ssh private keys need to be secret, and ssh itself tries
to enforce that, while my experience is that people are happy to email, copy,
backup AWS key pairs.
I also have a pull request in for ansible to support this.
Here's the relevant thread on the AWS forum:
https://forums.aws.amazon.com/message.jspa?messageID=525069
A "short" version is:
- you need an initial AWS key pair (please, please set one per user, don't
give out the master key pair.
- you need to add a condition on every policy you give to your users/groups, a
condition that makes it mandatory to use a Multi Factor Auth device (MFA), and
makes it expires, something like:
"NumericLessThan":{"aws:MultiFactorAuthAge":"1800"}
- before anyone can do any work, they need to request a temporary key pair and
token with their MFA device. You can obtain a set without using the MFA, but
if your policy is set properly it will not work. You can obtain temporary
creds via the AWS cli or their api:
aws sts get-session-token --serial-number
arn:aws:iam:11223344:mfa/y...@example.com -token-code 123456
- all new requests to ec2 needs to be made with these temporary creds.
There are two confusing parts:
token:
- "token" when use as the argument to aws sts get-session-token is the code
provided by your MFA device (eg: google authenticator)
- that same command gives you a SessionToken which is what amazon calls the
"security token"
variables/names:
the creds you get back have to be exported with diffent names... so
SecretAccessKey has to be exported as AWS_SECRET_ACCESS_KEY
AccessKeyId has to be exported as AWS_ACCESS_KEY_ID
SessionToken has to be exported as AWS_SECURITY_TOKEN
--
Yves.
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
