Key Conjurer is a project designed to get rid of permanent AWS credentials. This was important to us as it bought down two related risks; compromise of permanent credentials and compromise of a users machines. Luckily, AWS provides their Security Token Service which allows users/services to generate temporary and just-in-time credentials. However, STS just handles the AWS side of the equation and we needed the process of generating tokens to be linked with both our identity provider and MFA. And for that we now haev Key Conjurer.
Key Conjurer is made of three parts:
Key Conjurer currently supports the following identity providers and mfa services:
- Identity Providers:
- onelogin
- MFA:
- duo
- Certificates - Make sure a certificate in ACM is requested with the desired hostname (the arn will be needed later)
aws acm request-certificate --domain-name <api domain> --validation-method EMAIL --region us-east-1
aws acm request-certificate --domain-name <frontend domain> --validation-method EMAIL --region us-east-1
- Make an S3 Bucket:
aws s3api create-bucket --bucket <terraform state bucket> --region us-west-2 --create-bucket-configuration LocationConstraint=us-west-2
- A VPC w/ Subnets to access service
- Setup a
KMSkey
- go 1.12.4+
- npm 6.4.1+
- node 10.10.0+
- tfswitch
Fill in prod.tfvars based on example.tfvars and create prod.env based on example.env
| Variable | Purpose |
|---|---|
| EncryptedSettings | A KMS encrypted json blob with settings (See below for more info) |
| AWSRegion | Used for KMS Region. Typically the same region KeyConjuer is in |
The encrypted settings are a JSON blob with the following keys.
{
"awsKmsKeyId": "abc...",
"oneLoginReadUserId": "def...",
"oneLoginReadUserSecret": "ghi...",
"oneLoginSamlId": "jkl...",
"oneLoginSamlSecret": "lmn...",
"oneLoginShard": "opq...",
"oneLoginSubdomain": "rst..."
}
| Variable | Purpose |
|---|---|
| awsKmsKeyId | The KMS key to encrypt information with |
| oneLoginReadUserId | OneLogin key with read user permissions |
| oneLoginReadUserSecret | Secret key for oneLoginReadUserId |
| oneLoginSamlId | OneLogin key with SAML permissions |
| oneLoginSamlSecret | Secret key for oneLoginSamlId |
| oneLoginShard | OneLogin shard to talk with |
| oneLoginSubdomain | OneLogin subdomain |
They are encrypted so users with access to the lambdas cannot see the secrets
source prod.env
make api_build api_upload
make terraform_apply
make build upload
Ensure the IAM role provisioned by terraform has access to use the KMS key created above
source prod.env
make build upload terraform_apply
frontend serves the CLI tool. This means the binaries created in cli
need to be uploaded to the same bucket that's used to serve the frontend.