Use Step CLI with AWS IAM Roles Anywhere #1362
Description
As someone who isn't super familiar with the peculiars of openssl I was looking for something easier. I'm glad I found Step CLI.
My use-case was to setup a lot of instances of IAM Roles Anywhere.
Figured I would share what I did so that maybe someone else can spared the pain.
This is by no means a perfect solution, but should be sufficient to get you started.
There are three main components to IAM Roles Anywhere:
- Trust Anchors
- Profiles
- IAM Roles
I'm not going into details here, as there's plenty of information about it on teh interwebz.
You need a Certificate Authority (Root CA) and it's also recommended to have a Intermediate CA to sign application certificates with.
To create the Root and Intermediate:
create-ca.sh
#!/bin/bash
root_name="${1}"
intermediate_name="${2}"
environment="${3}"
root_ca="root_ca_${environment}.crt"
root_ca_key="root_ca_${environment}.key"
intermediate_ca="intermediate_ca_${environment}.crt"
intermediate_ca_key="intermediate_ca_${environment}.key"
openssl rand -base64 32 > root.txt
openssl rand -base64 32 > intermediate.txt
step certificate create "${root_name}" "${root_ca}" "${root_ca_key}" \
--kty EC \
--curve P-384 \
--profile root-ca \
--not-after 8760h \
--password-file ./root.txt
step certificate create "${intermediate_name}" "${intermediate_ca}" "${intermediate_ca_key}" \
--kty EC \
--curve P-384 \
--profile intermediate-ca \
--not-after 8760h \
--ca "./${root_ca}" \
--ca-key "./${root_ca_key}" \
--password-file ./intermediate.txt
cat "${intermediate_ca}" "${root_ca}" > "ca_${environment}.pem"Make sure you store the keys very securely!
The resulting .pem files is what you store as the "Certificate bundle" in the Trust Anchor.
Then, for each application (or however you want to slice it) you create the client certificates (role certificate):
create-cert-sh
#!/bin/bash
name="${1}"
environment="${2}"
intermediate_ca="intermediate_ca_${environment}.crt"
intermediate_ca_key="intermediate_ca_${environment}.key"
cert_ca="role_cert_${environment}.pem"
cert_ca_key="role_cert_${environment}.key"
#openssl rand -base64 32 > cert.txt
step certificate create "${name}" "${cert_ca}" "${cert_ca_key}" \
--kty EC \
--curve P-384 \
--profile leaf \
--not-after 8760h \
--ca "./${intermediate_ca}" \
--ca-key "./${intermediate_ca_key}" \
--no-password \
--insecure \
--bundleThen you can test with:
#!/bin/bash
result=$(./aws_signing_helper credential-process \
--certificate "./role_cert_dev.pem" \
--private-key "./role_cert_dev.key" \
--trust-anchor-arn "<Trust Anchor ARN>" \
--profile-arn "<Profile ARN>" \
--role-arn "<Role ARN>")
export AWS_ACCESS_KEY_ID=$(echo "${result}" | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "${result}" | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "${result}" | jq -r '.SessionToken')
# depending on the permissions you given the IAM Role you can test it with the AWS CLI hereNote that all certs are valid for 1 year, make sure you change this to be compliant with your company's rules. Usually the client certs should have a shorter TTL.
Hope this helps someone!
Feel free to close this whenever. :)