From 040228dcded62168138d265f2c96efbb2b8fd20a Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky Date: Mon, 16 Sep 2024 16:52:59 +0000 Subject: [PATCH 1/7] use Client Machine field for Account Id; change AWS Role parameter to be a custom field --- aws-orchestrator-core/AuthUtilities.cs | 19 +++++++++++++++---- aws-orchestrator-core/CustomFields.cs | 8 ++++---- integration-manifest.json | 8 ++++---- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/aws-orchestrator-core/AuthUtilities.cs b/aws-orchestrator-core/AuthUtilities.cs index b998523..6f1b871 100644 --- a/aws-orchestrator-core/AuthUtilities.cs +++ b/aws-orchestrator-core/AuthUtilities.cs @@ -45,16 +45,21 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration { _logger.MethodEntry(); _logger.LogDebug("Selecting credential method."); - string awsRole = certStore.ClientMachine; - _logger.LogDebug($"Using AWS Role - {awsRole} - from the ClientMachine field"); + if (customFields.UseIAM) { _logger.LogInformation("Using IAM User authentication method for creating AWS Credentials."); var accessKey = ResolvePamField(jobConfiguration.ServerUsername, "ServerUsername (IAM AccessKey)"); var accessSecret = ResolvePamField(jobConfiguration.ServerPassword, "ServerPassword (IAM AccessSecret)"); + string awsRole = customFields.IAMAssumeRole; + _logger.LogDebug($"Assuming AWS Role - {awsRole}"); + + string awsAccountId = certStore.ClientMachine; + _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field"); + _logger.LogTrace("Attempting to authenticate with AWS using IAM access credentials."); - return AwsAuthenticate(accessKey, accessSecret, customFields.IamAccountId, awsRole); + return AwsAuthenticate(accessKey, accessSecret, awsAccountId, awsRole); } else if (customFields.UseOAuth) { @@ -74,8 +79,14 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration OAuthResponse authResponse = OAuthAuthenticate(oauthParams); _logger.LogTrace("Received OAuth response."); + string awsRole = customFields.OAuthAssumeRole; + _logger.LogDebug($"Assuming AWS Role - {awsRole}"); + + string awsAccountId = certStore.ClientMachine; + _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field"); + _logger.LogTrace("Attempting to authenticate with AWS using OAuth response."); - return AwsAuthenticateWithWebIdentity(authResponse, customFields.OAuthAccountId, awsRole); + return AwsAuthenticateWithWebIdentity(authResponse, awsAccountId, awsRole); } else // use default SDK credential resolution { diff --git a/aws-orchestrator-core/CustomFields.cs b/aws-orchestrator-core/CustomFields.cs index 6c987a9..0eb3801 100644 --- a/aws-orchestrator-core/CustomFields.cs +++ b/aws-orchestrator-core/CustomFields.cs @@ -57,8 +57,8 @@ public class ACMCustomFields [DefaultValue(false)] public bool UseIAM { get; set; } - [JsonProperty("OAuthAccountId")] - public string OAuthAccountId { get; set; } + [JsonProperty("OAuthAssumeRole")] + public string OAuthAssumeRole { get; set; } [JsonProperty("OAuthScope")] public string OAuthScope { get; set; } @@ -69,7 +69,7 @@ public class ACMCustomFields [JsonProperty("OAuthUrl")] public string OAuthUrl { get; set; } - [JsonProperty("IamAccountId")] - public string IamAccountId { get; set; } + [JsonProperty("IAMAssumeRole")] + public string IAMAssumeRole { get; set; } } } \ No newline at end of file diff --git a/integration-manifest.json b/integration-manifest.json index 11db8b7..dd7d270 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -86,16 +86,16 @@ "Required": false }, { - "Name": "IamAccountId", - "DisplayName": "IAM AWS Account ID", + "Name": "IAMAssumeRole", + "DisplayName": "AWS Role to Assume (IAM)", "Type": "String", "DependsOn": "UseIAM", "DefaultValue": null, "Required": false }, { - "Name": "OAuthAccountId", - "DisplayName": "OAuth AWS Account ID", + "Name": "OAuthAssumeRole", + "DisplayName": "AWS Role to Assume (OAuth)", "Type": "String", "DependsOn": "UseOAuth", "DefaultValue": null, From 8fc145b498cc3d39cc253beefb139c2adc88ffab Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky Date: Fri, 20 Sep 2024 03:33:24 +0000 Subject: [PATCH 2/7] fix typo and add logging line for default account id --- aws-orchestrator-core/AuthUtilities.cs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/aws-orchestrator-core/AuthUtilities.cs b/aws-orchestrator-core/AuthUtilities.cs index 6f1b871..907024f 100644 --- a/aws-orchestrator-core/AuthUtilities.cs +++ b/aws-orchestrator-core/AuthUtilities.cs @@ -45,7 +45,9 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration { _logger.MethodEntry(); _logger.LogDebug("Selecting credential method."); - + + string awsAccountId = certStore.ClientMachine; + if (customFields.UseIAM) { _logger.LogInformation("Using IAM User authentication method for creating AWS Credentials."); @@ -55,7 +57,6 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration string awsRole = customFields.IAMAssumeRole; _logger.LogDebug($"Assuming AWS Role - {awsRole}"); - string awsAccountId = certStore.ClientMachine; _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field"); _logger.LogTrace("Attempting to authenticate with AWS using IAM access credentials."); @@ -63,7 +64,7 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration } else if (customFields.UseOAuth) { - _logger.LogInformation("Using OAuth authenticaiton method for creating AWS Credentials."); + _logger.LogInformation("Using OAuth authentication method for creating AWS Credentials."); var clientId = ResolvePamField(jobConfiguration.ServerUsername, "ServerUsername (OAuth Client ID)"); var clientSecret = ResolvePamField(jobConfiguration.ServerPassword, "ServerPassword (OAuth Client Secret)"); OAuthParameters oauthParams = new OAuthParameters() @@ -82,7 +83,6 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration string awsRole = customFields.OAuthAssumeRole; _logger.LogDebug($"Assuming AWS Role - {awsRole}"); - string awsAccountId = certStore.ClientMachine; _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field"); _logger.LogTrace("Attempting to authenticate with AWS using OAuth response."); @@ -91,6 +91,7 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration else // use default SDK credential resolution { _logger.LogInformation("Using default AWS SDK credential resolution for creating AWS Credentials."); + _logger.LogDebug($"Default Role and Account ID will be used. Specified AWS Account ID - {awsAccountId} - will not be used."); return null; } } From 358b19c14be7fa3a364bb24d925c1a9230fbf72a Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky Date: Wed, 9 Oct 2024 19:47:15 +0000 Subject: [PATCH 3/7] update changelog and documentation --- CHANGELOG.md | 3 +++ readme_source.md | 10 +++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17e8974..d760590 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +2.1.0 +* Return parity to original AWS store type organization - differentiating based on AWS Account ID + 2.0.1 * Remove logging of sensitive data * Update Private Key to required for certificates in this store in docs and store definition diff --git a/readme_source.md b/readme_source.md index 9b4f067..7993e3d 100644 --- a/readme_source.md +++ b/readme_source.md @@ -79,8 +79,8 @@ UseIAM | Use IAM User Auth | boolean | False | N/A | Yes | A switch to enable th OAuthScope | OAuth Scope | string | N/A | Use OAuth 2.0 Provider | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta OAuthGrantType | OAuth Grant Type | string | client_credentials | Use OAuth 2.0 Provider | No | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. In Okta this is `client_credentials` OAuthUrl | OAuth URL | string | https://***/oauth2/default/v1/token | Use OAuth 2.0 Provider | No | The URL to request a token from your OAuth Provider. Fill this out with the correct URL. -OAuthAccountId | OAuth AWS Account Id | string | N/A | Use OAuth 2.0 Provider | No | The AWS account ID to use after getting an OAuth token to assume the associated Role. -IamAccountId | IAM AWS Account ID | string | N/A | Use IAM User Auth | No | The AWS account ID to use when assuming a role as the IAM User. +OAuthAssumeRole | AWS Role to Assume (OAuth) | string | N/A | Use OAuth 2.0 Provider | No | The AWS Role to assume after getting an OAuth token. +IAMAssumeRole | AWS Role to Assume (IAM) | string | N/A | Use IAM User Auth | No | The AWS Role to assume as the IAM User. **Entry Parameters:** @@ -101,7 +101,7 @@ Cert Store Settings =============== | Name | Value | Description | | ----------- | ----------- | ----------- | -| Client Machine | AWS Role | This is the AWS Role that will be used for access. This role will be assumed and its permissions will apply to all actions taken by the orchestrator. | +| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. | | User Name | See Below | See Below | | Password | See Below | See Below | | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. | @@ -110,8 +110,8 @@ Cert Store Settings | OAuth Scope | Look in OAuth provider for Scope | Displayed and required when using OAuth 2.0 Provider. OAuth scope setup in the Okta Application or other OAuth provider | | OAuth Grant Type | client_credentials | Displayed and required when using OAuth 2.0 Provider. This may vary depending on Okta setup but will most likely be this value. | | OAuth URL | https://***/oauth2/default/v1/token | Displayed and required when using OAuth 2.0 Provider. URL to request token from OAuth provider. Example given is for an Okta token. | -| OAuth AWS Account Id | AWS account ID number | Displayed and required when using OAuth 2.0 Provider. This account ID is used in conjunction with the OAuth token to assume a role (set in the Client Machine parameter) | -| IAM AWS Account Id | AWS account ID number | Displayed and required when using IAM User Auth. This account ID is used to assume a role (set in the Client Machine parameter) | +| AWS Role to Assume (OAuth) | AWS Role | Displayed and required when using OAuth 2.0 Provider. This Role is assumed after getting an OAuth token. | +| AWS Role to Assume (IAM) | AWS Role | Displayed and required when using IAM User Auth. This Role is assumed with the IAM credentials. | The User Name and Password fields are used differently based on the auth method you intend to use. The three options for auth are IAM User, OAuth, or default auth. From ac59a4e5610d88e838786042c4925f32848f1f9a Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 9 Oct 2024 19:47:42 +0000 Subject: [PATCH 4/7] Update generated README --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 3495285..6fd650c 100644 --- a/README.md +++ b/README.md @@ -178,8 +178,8 @@ UseIAM | Use IAM User Auth | boolean | False | N/A | Yes | A switch to enable th OAuthScope | OAuth Scope | string | N/A | Use OAuth 2.0 Provider | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta OAuthGrantType | OAuth Grant Type | string | client_credentials | Use OAuth 2.0 Provider | No | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. In Okta this is `client_credentials` OAuthUrl | OAuth URL | string | https://***/oauth2/default/v1/token | Use OAuth 2.0 Provider | No | The URL to request a token from your OAuth Provider. Fill this out with the correct URL. -OAuthAccountId | OAuth AWS Account Id | string | N/A | Use OAuth 2.0 Provider | No | The AWS account ID to use after getting an OAuth token to assume the associated Role. -IamAccountId | IAM AWS Account ID | string | N/A | Use IAM User Auth | No | The AWS account ID to use when assuming a role as the IAM User. +OAuthAssumeRole | AWS Role to Assume (OAuth) | string | N/A | Use OAuth 2.0 Provider | No | The AWS Role to assume after getting an OAuth token. +IAMAssumeRole | AWS Role to Assume (IAM) | string | N/A | Use IAM User Auth | No | The AWS Role to assume as the IAM User. **Entry Parameters:** @@ -200,7 +200,7 @@ Cert Store Settings =============== | Name | Value | Description | | ----------- | ----------- | ----------- | -| Client Machine | AWS Role | This is the AWS Role that will be used for access. This role will be assumed and its permissions will apply to all actions taken by the orchestrator. | +| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. | | User Name | See Below | See Below | | Password | See Below | See Below | | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. | @@ -209,8 +209,8 @@ Cert Store Settings | OAuth Scope | Look in OAuth provider for Scope | Displayed and required when using OAuth 2.0 Provider. OAuth scope setup in the Okta Application or other OAuth provider | | OAuth Grant Type | client_credentials | Displayed and required when using OAuth 2.0 Provider. This may vary depending on Okta setup but will most likely be this value. | | OAuth URL | https://***/oauth2/default/v1/token | Displayed and required when using OAuth 2.0 Provider. URL to request token from OAuth provider. Example given is for an Okta token. | -| OAuth AWS Account Id | AWS account ID number | Displayed and required when using OAuth 2.0 Provider. This account ID is used in conjunction with the OAuth token to assume a role (set in the Client Machine parameter) | -| IAM AWS Account Id | AWS account ID number | Displayed and required when using IAM User Auth. This account ID is used to assume a role (set in the Client Machine parameter) | +| AWS Role to Assume (OAuth) | AWS Role | Displayed and required when using OAuth 2.0 Provider. This Role is assumed after getting an OAuth token. | +| AWS Role to Assume (IAM) | AWS Role | Displayed and required when using IAM User Auth. This Role is assumed with the IAM credentials. | The User Name and Password fields are used differently based on the auth method you intend to use. The three options for auth are IAM User, OAuth, or default auth. From a7ff1e04edd9d8f582046cf64ffca109ec0d09a2 Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky Date: Wed, 9 Oct 2024 19:54:21 +0000 Subject: [PATCH 5/7] change changelog version --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d760590..50b32ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -2.1.0 +2.0.2 * Return parity to original AWS store type organization - differentiating based on AWS Account ID 2.0.1 From acb2d4bfb615bdc87930fb6b3846814c089d51a5 Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky Date: Thu, 10 Oct 2024 16:37:19 +0000 Subject: [PATCH 6/7] clarify that account id is not used for EC2 / SDK credentials --- readme_source.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index 7993e3d..0e6082b 100644 --- a/readme_source.md +++ b/readme_source.md @@ -32,7 +32,7 @@ Options for authenticating: 2. IAM User Auth configuration (refer to `AwsCerManA` below) 3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html) -As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. +As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. Additionally, the EC2 credentials do not use the AWS Account ID specified in the certificate store and only use the single account/role indicated by the EC2 settings. 1. Assign or note the existing IAM Role assigned to the EC2 instance running 2. Make sure that role has access to ACM 3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials. @@ -101,7 +101,7 @@ Cert Store Settings =============== | Name | Value | Description | | ----------- | ----------- | ----------- | -| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. | +| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account. | | User Name | See Below | See Below | | Password | See Below | See Below | | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. | From 13896bbe7647591f780eca798920a36c5ec0704a Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 10 Oct 2024 16:37:49 +0000 Subject: [PATCH 7/7] Update generated README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6fd650c..84a1352 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ Options for authenticating: 2. IAM User Auth configuration (refer to `AwsCerManA` below) 3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html) -As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. +As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. Additionally, the EC2 credentials do not use the AWS Account ID specified in the certificate store and only use the single account/role indicated by the EC2 settings. 1. Assign or note the existing IAM Role assigned to the EC2 instance running 2. Make sure that role has access to ACM 3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials. @@ -200,7 +200,7 @@ Cert Store Settings =============== | Name | Value | Description | | ----------- | ----------- | ----------- | -| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. | +| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account. | | User Name | See Below | See Below | | Password | See Below | See Below | | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. |