secrets

package module
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2023 License: Apache-2.0 Imports: 8 Imported by: 1

README

go-authcrunch-creds-aws-secrets-manager

AuthCrunch Credentials Plugin for AWS Secrets Manager Integration.

Table of Contents

Getting Started

IAM Policy and Role

In "IAM" section of AWS Console, create AuthCrunchSecretsManagerAccess IAM Policy. Change 123456789012 with your own account number.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:*:123456789012:secret:authcrunch*"
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetRandomPassword",
            "Resource": "*"
        }
    ]
}

Next, create a role for "EC2" AWS Service and attach the AuthCrunchSecretsManagerAccess to it.

Then, attach the IAM role to an EC2 instance.

From the EC2 instance, run the following command to list secrets.

aws secretsmanager list-secrets

The output for an account without any existing secrets follows.

{
    "SecretList": []
}
Password Hashing

Install bcrypt-cli for password hashing:

go install github.com/bitnami/bcrypt-cli@latest

Install pwgen for password generation:

sudo yum -y install pwgen

Generate a password:

$ pwgen -cnvB1 32
rbrH97m9bpbk3qRphHFNM9ksJfRcWdvr

Next, hash the password and the api_key:

$ echo -n "rbrH97m9bpbk3qRphHFNM9ksJfRcWdvr" | bcrypt-cli -c 10
$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6

Repeat the same thing for api_key.

$ pwgen -cnvB1 32
kqvc7cgk44dtpX9nXx4NL9krH4g7fqdJ
$ echo -n "kqvc7cgk44dtpX9nXx4NL9krH4g7fqdJ" | bcrypt-cli -c 10
$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6
Secrets Management
User Credentials

First, create a set of credentials for a management user, jsmith.

Next, browse to "AWS Secrets Manager" to add a secret by selecting secret type as "Other type of secret (API key, OAuth token, other.)" and put the following key values.

  • username: jsmith
  • password: bcrypt:10:$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6
  • api_key: bcrypt:10:$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6
  • email: jsmith@localhost.localdomain
  • name: 'John Smith`

Use aws/secretsmanager for the "Encryption key".

Set secret name to authcrunch/caddy/users/jsmith and description to Caddy User Credentials for jsmith

After the creation of the secret, list secrets with aws secretsmanager list-secrets again.

{
    "SecretList": [
        {
            "Name": "authcrunch/caddy/users/jsmith",
            "Tags": [],
            "LastChangedDate": 1673135119.189,
            "SecretVersionsToStages": {
                "278a2e61-f3e3-4280-a444-333d7186d5ce": [
                    "AWSCURRENT"
                ]
            },
            "CreatedDate": 1673135119.15,
            "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:authcrunch/caddy/users/jsmith-tz6d06",
            "Description": "Caddy User Credentials for jsmith"
        }
    ]
}

Next, retrieve the previously created secret:

aws secretsmanager get-secret-value --secret-id authcrunch/caddy/users/jsmith

The expected output follows:

{
    "Name": "authcrunch/caddy/users/jsmith",
    "VersionId": "278a2e61-f3e3-4280-a444-333d7186d5ce",
    "SecretString": "{\"username\":\"jsmith\",\"password\":\"bcrypt:10:$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6\",\"api_key\":\"bcrypt:10:$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1673135119.183,
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:authcrunch/caddy/users/jsmith-tz6d06"
}
Access Token Secret

Next, follow the same proceduce as with jsmith to generate the shared key to be used for JWT token signing and verification.

Browse to "AWS Secrets Manager" to add a secret by selecting secret type as "Other type of secret (API key, OAuth token, other.)" and put the following key values.

  • id: 0
  • usage: sign-verify
  • value: b006d65b-c923-46a1-8da1-7d52558508fe

Use aws/secretsmanager for the "Encryption key".

Set secret name to authcrunch/caddy/access_token and description to Caddy Access Token Secret

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client interface {
	GetSecret(context.Context, string) (map[string]interface{}, error)
	GetSecretByKey(context.Context, string, string) (interface{}, error)
	SetMockClient(aws.HTTPClient)
	SetMockCredentialsProvider(aws.CredentialsProvider)
	GetConfig(context.Context) map[string]interface{}
}

Client provides interface to query AWS Secrets Manager service.

func NewClient 

func NewClient(ctx context.Context, id string, region string) (Client, error)

NewClient returns an instance of Client.

type MockCredentialsProvider 

type MockCredentialsProvider struct{}

MockCredentialsProvider mocks AWS credentials provider.

func (MockCredentialsProvider) Retrieve 

func (MockCredentialsProvider) Retrieve(context.Context) (aws.Credentials, error)

Retrieve returns mock AWS credentials.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.