Setting Up Programmatic AWS Access for MFA Protected Federated Identities

I am currently working on improving the security of cloud operations for one of my clients and wanted to share an interesting solution I developed to help provide programmatic access to AWS from local developer environments using Federated Identities only.

Accessing AWS resources from outside VPC usually requires some sort of AWS credentials. There are two forms of access credentials — long term and short term keys. To create long term credentials, you use IAM users. Each member on the team gets their own IAM user that they can then use to generate these long term credentials.

The solution that I came up with consists of multiple parts.

The following example will create a browsermob daemon on localhost port 9900 and a MITM proxy on localhost port 27960. It will also instruct your new proxy to send all incoming requests through proxy.corp.company.com upstream proxy effectively creating a proxy chain.

After proxy is instantiated you will need to instruct the browser instance to use it. If you’re using Chrome pass the following switch when launching it:

Now to extract a SAML assertion we will need to do a few things. First, we will need to start recording network activity before the console sign-in event. Second, after the sign-in is successfully completed, we will need to fetch the recorded activity back from the proxy server:

At this point, you may also choose to shut down the proxy to prevent potential memory leaks. That can be done by sending a DELETE request to the daemon:

Function call responds with STS credentials that can be used in our local environment applications now.

To use them, first, you need to make sure that you don’t specify any AWS access keys in your OS, shell or application environment variables, including injection of environment variables into your application from .env files.

Once verified you can plug in your newly obtained credentials over to ~/.aws/credentials file by either modifying it programmatically or by using AWS CLI:

Note: You might prefer to go an extra step and assume a different role with more restrictive permissions depending on the application that you’re trying to provide programmatic access for. In that case, you will need to run another STS call using credentials that you have already obtained:

Keep in mind though that with this approach you’re going to have to work through an additional challenge of trying to figure out how to insert credentials specifically into applications that are going to be using them, as we won’t be able to simply edit ~/aws configuration with a single pair of credentials anymore.

So far we were able to grab a set of temporary credentials and use them in applications running on our local environments. However, if you’re using CodeCommit you might want to also update Git configuration to work over temporary STS credentials. This will allow you to avoid having to use SSH or HTTPS credentials which are essentially just another form of long term credentials, that we’re trying to get rid of.

After that make sure to update origin URLs in every local Git repository pulled from CodeCommit to HTTPS format if you have been using SSH format. Also, make sure to do the same inpackage.json files across all projects that use CodeCommit packages as NPM dependencies.

If these package.json updates, however, break your build or deployment pipelines in the cloud, check out the article I wrote about using temporary credentials in CI/CD pipelines in AWS cloud!

Depending on your use case you might end up automating this process even further to better improve the developer experience. I decided to not dive into that much detail since this article is getting pretty long at this point :), but I can absolutely imagine packaging up this Selenium application along with browsermob daemon and all of its dependencies in a Docker image and even integrating it as a micro-service into existing containerized applications.

Switching to short term credentials improves the overall security of cloud operations of your team. An additional benefit in using purely Federated Identities to provide AWS access is that access is revoked as soon as ADFS credentials bound to the identity cease to exist. So if someone leaves the company you don’t leave yourself a chance to forget to clean up your IAM users list and accidentally leave a hole in your infrastructure security!

Thank you for reading this article! If you would like to see more content like this in the future please leave a like and share this article. Till next time!

Related posts:

Le persone dimenticano. Non lo fanno solo gli italiani, ma i cittadini di tutto il mondo, anche se c’è da ammettere che noi siamo particolarmente bravi. È per questo motivo che ho deciso di scrivere…

Howard Scott Warshaw a good friend to Spring and a partner in building better Mental Health, offers a unique perspective on how to handle failure. The difference usually comes down to choices. I…

After two months of lockdown, life in Italy has found new ways through the Coronavirus. Even if you didn't get the virus, you need to recover. Writing is a powerful healing tool in these harsh times.