awsiamrecycler

command module

v0.0.0-...-c4860a0 Latest Latest Go to latest Published: Sep 29, 2021 License: Unlicense Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/furio/awsiamrecycler

Links

Open Source Insights

README ¶

AWS IAM Recycler

A toy project to study Kubernetes operator programming.

The operator is able to recycle IAM access and secret key of an user inside a secret.

This is made via operator sdk so with a make docker-build deploy you can build it and deploy to default context present in your ~/.kube/config file.

The basic mode of operation is implemented and consist of an object that needs to know a destination secret object where to edit the access/secret keys, the iam user and, the number of minutes to wait between each recycling.

The operator itself needs to run with a set of IAM credentials that are linked to a IAM permission like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey",
                "iam:ListAccessKeys"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/controlled-by": "kube"
                }
            }
        }
    ]
}

The policy contains a Condition that limit the operator ability to edit IAM users that has that tag (hopefully).

Todo

Understand and write Tests for an Operator
Bundling for installation
Automation via Github Actions

Example

This is an example of the IAMRecycler object and how it works

apiVersion: v1
kind: Namespace
metadata:
  name: awstest-ns
---
apiVersion: aws.furio.me/v1alpha1
kind: IAMRecycler
metadata:
  name: iamrecycler-test-01
  namespace: awstest-ns
spec:
  secret: secret-change
  iamuser: test-change-keys
  recycle: 5
  datakeyaccesskey: AWS_ACCESS_KEY_ID
  datakeysecretkey: AWS_SECRET_ACCESS_KEY
---
apiVersion: v1
kind: Secret
metadata:
  name: secret-change
  namespace: awstest-ns
type: Opaque
data:
  AWS_ACCESS_KEY_ID: ""
  AWS_SECRET_ACCESS_KEY: ""
  AWS_DEFAULT_REGION: ZXUtd2VzdC0x

The object needs to know the secret object name, the data "keys" to edit, the iam user and, the number of minutes to wait between each recycling.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1alpha1 Package v1alpha1 contains API Schema definitions for the aws v1alpha1 API group +kubebuilder:object:generate=true +groupName=aws.furio.me	Package v1alpha1 contains API Schema definitions for the aws v1alpha1 API group +kubebuilder:object:generate=true +groupName=aws.furio.me
controllers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL