public-ssh-keys

command module

v0.0.0-...-8321af7 Latest Latest Go to latest Published: Jan 25, 2024 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hamstah/awstools

Links

Open Source Insights

README ¶

iam-public-ssh-keys

usage: iam-public-ssh-keys [<flags>]

Return public SSH keys for an IAM user.

Flags:
      --help                 Show context-sensitive help (also try --help-long and --help-man).
  -u, --username=USERNAME    Username to fetch the keys for, otherwise default to the logged in user.
      --key-encoding=SSH     Encoding of the key to return (SSH or PEM)
      --allowed-group=ALLOWED-GROUP ...
                             Fetch the keys only if the user is in this group. You can use --allowed-group multiple times.
      --assume-role-arn=ASSUME-ROLE-ARN
                             Role to assume
      --assume-role-external-id=ASSUME-ROLE-EXTERNAL-ID
                             External ID of the role to assume
      --assume-role-session-name=ASSUME-ROLE-SESSION-NAME
                             Role session name
      --region=REGION        AWS Region
      --mfa-serial-number=MFA-SERIAL-NUMBER
                             MFA Serial Number
      --mfa-token-code=MFA-TOKEN-CODE
                             MFA Token Code
      --session-duration=1h  Session Duration
  -v, --version              Display the version
      --log-level=warn       Log level
      --log-format=text      Log format

IAM policy

You can use the arn:aws:iam::aws:policy/IAMReadOnlyAccess managed policy or use the custom one below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:ListGroupsForUser"
            ],
            "Resource": "*"
        }
    ]
}

examples

Use IAM SSH keys to connect to instances

Make sure the binary is in PATH or make the path in the script below absolute
Create a script /usr/local/bin/ssh-authorized-keys.sh

#!/usr/bin/env sh
iam-public-ssh-keys --username $1

Make it executable

chmod +x /usr/local/bin/ssh-authorized-keys.sh

Edit your sshd configuration (usually /etc/sshd/sshd_config) and add the lines. You can change the user, don't run it as root.

AuthorizedKeysCommand /usr/local/bin/ssh-authorized-keys.sh
AuthorizedKeysCommandUser ec2-user

Note: the user needs to already exist on the system.

You can use the other options in the script

If the instance profile does not have the policy to access the SSH keys directly, just use --assume-role-arn. You probably need this when accessible users in a different AWS account.
Restrict SSH access on the instance to users of a specific IAM group, add --allowed-group, here are some ideas to avoid hardcoding the group name so you can reuse the script
- Have a SSH_ALLOWED_GROUP environment varible set in the userdata or AMI
- Get the allowed group value from the instance tags

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL