Hi, I am trying to create a code sample to achieve this concept for some of our developers that want to use conjur authn-iam authentication.
Basically we would like a non-aws machine possibly on-prem to assume a aws role and authenticate with conjur for retrieving secrets.
Here are the steps I am envisioning to go about it, please correct me
using okta to auth to aws account
select the role and generate aws keyset (access key, secret key , token)
pass those into conjur-iam-client (get conjur iam api key)
create conjur client (from conjur-iam-client as well)
retrieve secrets
can someone please suggest or point me at a sample that may exist out there
Will this be using IAM Roles or IAM Users. I am not familiar with fetching IAM Roles from a non-aws machine.
If you are able to to retrieve the access key, secret key & token I could make some modifications to the conjur-iam-api-key github to support this flow.
I would be happy to work with you in creating this solution.
Thanks for the reply, you are correct, I am able to retrieve the access key, secret key and the token by assuming an aws IAM role using my AD credentials as shown in the image below.
I tried to get conjur-iam-api-key (using your library) but unable to do so, because I believe I am not able to generate a
Signature key
Canonical request
Conjur-iam-api-key
As sts or http://169.254.169.254 is not accessible via my work station. Please let me know your availability and I will be glad to work with you on this.
This goes over how to use authn-iam within lambda but it should apply to on-prem deployments also. As long as you can obtain the iam-role-name, access-key, secret-key and security-token. It should authenticate successfully.
Hi Andrew, FYI, I am getting a 401 when i tried from an on-prem because the session_token (conjur_client) returned is empty, i got past getting the signature though.
Here is the error info: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://write.secrets.tsi.lan/authn/prod/host%2F029298672891%2FHydraDatamartTaskHost/authenticate
I am authenticating to aws to get access_key, secret_key, token using my windows account, I have an internal meet with cloud team to ensure assuming the role part works in the meantime.
The code works from within EC2 as expected. Thanks
-Vamsi Maddirala
Turns out the key set i am passing are for the account not for the host ec2 instance role. I am trying to figure out what’s called boto3 to generate instance keyset.
Awesome, great to hear. Do you mind providing the code you are using with boto3? I am interested in how you implemented and might make a more formal post going over how to use IAM authn from on-prem.
2. Here are a few tweaks I had to make to the conjur_iam_client.
def get_iam_role_name():
r = requests.get(AWS_METADATA_URL)
return '<Host>'
def create_conjur_iam_api_key(iam_role_name=None, access_key=None, secret_key=None, token=None):
# if iam_role_name is None:
# iam_role_name = get_iam_role_name()
#
# if access_key is None and secret_key is None and token is None:
# access_key, secret_key, token = get_iam_role_metadata(iam_role_name)
keyset = boto.get_instance_keyset(arn)
access_key = keyset[0]
secret_key = keyset[1]
token = keyset[2]
region = get_aws_region()
iam_role_name = <Host>
if access_key is None or secret_key is None:
print('No access key is available.')
sys.exit()
# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
.... there is more in this def....
Calling client methods to print client list.
get_conjur_iam_session_token(os.environ['CONJUR_APPLIANCE_URL'], os.environ['CONJUR_ACCOUNT'], os.environ['AUTHN_IAM_SERVICE_ID'], os.environ['CONJUR_AUTHN_LOGIN'], os.environ['CONJUR_CERT_FILE'])
conjur_client = create_conjur_iam_client(os.environ['CONJUR_APPLIANCE_URL'], os.environ['CONJUR_ACCOUNT'], os.environ['AUTHN_IAM_SERVICE_ID'], os.environ['CONJUR_AUTHN_LOGIN'], os.environ['CONJUR_CERT_FILE'])
conjur_list = conjur_client.list()
print(conjur_list)