aws-tpm-process-credential

command module

v0.0.4 Latest Latest Go to latest Published: Nov 3, 2023 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/salrashid123/aws-tpm-process-credential

Links

Open Source Insights

README ¶

AWS Process Credentials for Trusted Platform Module (TPM)

AWS Process Credential source where the AWS_SECRET_ACCESS_KEY is embedded into a Trusted Platform Module (TPM).

Use the binary as a way to use aws cli and any sdk library where after setup, you don't actually need to know the source AWS_SECRET_ACCESS_KEY.

To use this, you need to save the AWS_SECRET_ACCESS_KEY into the TPM:

Directly load AWS_SECRET_ACCESS_KEY

With this, you "load" the AWS_SECRET_ACCESS_KEY into a TPM's persistentHandle such that it can only be used on that TPM along.
Securely Transfer AWS_SECRET_ACCESS_KEY from one hose to another

This flow is not shown in this repo but is describe in: Duplicate an externally loaded HMAC key

This repo shows how to do 1

If you're curious how all this works, see

AWS Credentials for Hardware Security Modules and TPM based AWS_SECRET_ACCESS_KEY

Setup

On a system which has the TPM, install go, then run the following which seals the key to persistentHandle

$ export AWS_ACCESS_KEY_ID=AKIAUH3H6EGK-redacted
$ export AWS_SECRET_ACCESS_KEY=--redacted--

$ git clone https://github.com/salrashid123/aws_hmac.git
$ cd aws_hmac/example/tpm
$ go run main.go  \
   --awsRegion=us-east-1 -accessKeyID $AWS_ACCESS_KEY_ID \
   -secretAccessKey $AWS_SECRET_ACCESS_KEY --persistentHandle=0x81008003

While this repo uses persistentHandle, its easy enough to use TPM encrypted files as shown here: hmac import to files

Configure AWS Process Credential Profiles

To test the process credential API and persistent handle, first download aws-tpm-process-credential from the Releases section or build it on your own

This repo will assume a role "arn:aws:iam::291738886548:user/svcacct1" has access to AssumeRole on arn:aws:iam::291738886548:role/gcpsts and both the user and role has access to an s3 bucket

images/role_trust.png

Edit ~/.aws/config and set the process credential parameters

[profile sessiontoken]
credential_process = /path/to/aws-tpm-process-credential  --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=false --persistentHandle=0x81008003 --aws-access-key-id=AKIAUH3H6EGK-redacted  --duration=3600

[profile assumerole]
credential_process = /path/to/aws-tpm-process-credential  --aws-arn="arn:aws:iam::291738886548:role/gcpsts" --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=true --persistentHandle=0x81008003 --aws-access-key-id=AKIAUH3H6EGK-redacted  --duration=3600

Verify AssumeRole

To verify AssumeRole first just run aws-tpm-process-credential directly

$ sudo /path/to/aws-tpm-process-credential \
   --aws-arn="arn:aws:iam::291738886548:role/gcpsts" --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=true --persistentHandle=0x81008003 --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600 

{
  "Version": 1,
  "AccessKeyId": "ASIAUH3H6EGKIA6WLCJG",
  "SecretAccessKey": "h7anawgBS5xNPlUcJ2P7x9YED5iltredacted",
  "SessionToken": "FwoGZXIvYXdzEKz//////////wEaDK+OR7VuQewac2+redacted",
  "Expiration": "2023-10-29T19:33:27+0000"
}

if that works, verify the aws cli

$ aws sts get-caller-identity  --profile assumerole
{
    "UserId": "AROAUH3H6EGKHZUSB4BC5:mysession",
    "Account": "291738886548",
    "Arn": "arn:aws:sts::291738886548:assumed-role/gcpsts/mysession"
}

# then finally s3
$  aws s3 ls mineral-minutia --region us-east-2 --profile sessiontoken
2020-08-10 02:52:08        411 README.md
2020-11-03 00:16:00          3 foo.txt

Verify SessionToken

To verify the session token, first just run aws-tpm-process-credential directly

$  sudo /path/to/aws-tpm-process-credential \
    --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=false --persistentHandle=0x81008003 --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600

{
  "Version": 1,
  "AccessKeyId": "ASIAUH3H6EGKFOX7G5XU",
  "SecretAccessKey": "lwfjGGh41y/3RI0HUlYJFCK5LWxredacted",
  "SessionToken": "FwoGZXIvYXdzEKv//////////wEaDOrG0ZqGoVCnU89juyKBredacted",
  "Expiration": "2023-10-29T18:59:58+0000"
}

if that works, verify the aws cli

$ aws sts get-caller-identity  --profile sessiontoken
{
    "UserId": "AIDAUH3H6EGKDO36JYJH3",
    "Account": "291738886548",
    "Arn": "arn:aws:iam::291738886548:user/svcacct1"
}

# then finally s3
$ aws s3 ls mineral-minutia --region us-east-2 --profile sessiontoken
2020-08-10 02:52:08        411 README.md
2020-11-03 00:16:00          3 foo.txt

References

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL