Hi, I am trying to create a code sample to achieve this concept for some of our developers that want to use conjur authn-iam authentication.
Basically we would like a non-aws machine possibly on-prem to assume a aws role and authenticate with conjur for retrieving secrets.
Here are the steps I am envisioning to go about it, please correct me
- using okta to auth to aws account
- select the role and generate aws keyset (access key, secret key , token)
- pass those into conjur-iam-client (get conjur iam api key)
- create conjur client (from conjur-iam-client as well)
- retrieve secrets
can someone please suggest or point me at a sample that may exist out there
Will this be using IAM Roles or IAM Users. I am not familiar with fetching IAM Roles from a non-aws machine.
If you are able to to retrieve the access key, secret key & token I could make some modifications to the conjur-iam-api-key github to support this flow.
I would be happy to work with you in creating this solution.
Thanks for the reply, you are correct, I am able to retrieve the access key, secret key and the token by assuming an aws IAM role using my AD credentials as shown in the image below.
I tried to get conjur-iam-api-key (using your library) but unable to do so, because I believe I am not able to generate a
As sts or http://169.254.169.254 is not accessible via my work station. Please let me know your availability and I will be glad to work with you on this.
Thanks for the offer to help.
Hi Andrew, please let me know if you had a chance to look into this. Thanks!
I have made modification to the code that can be found here: https://github.com/AndrewCopeland/conjur-iam-api-key
Make sure to get the latest code and follow the procedure for installation.
Once you have done this please take a look at this section: https://github.com/AndrewCopeland/conjur-iam-api-key/blob/master/README.md#executing-python-script
This goes over how to use
authn-iam within lambda but it should apply to on-prem deployments also. As long as you can obtain the iam-role-name, access-key, secret-key and security-token. It should authenticate successfully.
Let me know if you have any other questions.
Thanks Andrew! Let me give that a shot, this is great turnaround.
Hi Andrew, FYI, I am getting a 401 when i tried from an on-prem because the session_token (conjur_client) returned is empty, i got past getting the signature though.
Here is the error info:
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://write.secrets.tsi.lan/authn/prod/host%2F029298672891%2FHydraDatamartTaskHost/authenticate
I am authenticating to aws to get access_key, secret_key, token using my windows account, I have an internal meet with cloud team to ensure assuming the role part works in the meantime.
The code works from within EC2 as expected. Thanks
Could you provide the code you are using on-prem. Are you passing in the access, secret and token from the assumed role?
Turns out the key set i am passing are for the account not for the host ec2 instance role. I am trying to figure out what’s called boto3 to generate instance keyset.
Tried the boto3 and it is working now, basically a couple of hoops to jump to get ec2 keyset generated.
Awesome, great to hear. Do you mind providing the code you are using with boto3? I am interested in how you implemented and might make a more formal post going over how to use IAM authn from on-prem.
No problem at all. Here are the steps to get this going somewhat unstructured still but its working.
run okta-aws (internal aws cli based tool to assume role of an account)
choose account option to generate a key set for the account
make the account# trusted entity under ec2 assume role policy (via aws console)
use boto (custom python code) to assume role of an EC2 instance and generate keyset
use the keyset to auth with conjur
1. Here is my sample using boto3.
sts_session = boto3.Session(profile_name='saml')
sts_client = sts_session.client('sts')
return aws_access_key_id, aws_secret_access_key, aws_session_token
if __name__ == "__main__":
2. Here are a few tweaks I had to make to the conjur_iam_client.
r = requests.get(AWS_METADATA_URL)
def create_conjur_iam_api_key(iam_role_name=None, access_key=None, secret_key=None, token=None):
# if iam_role_name is None:
# iam_role_name = get_iam_role_name()
# if access_key is None and secret_key is None and token is None:
# access_key, secret_key, token = get_iam_role_metadata(iam_role_name)
keyset = boto.get_instance_keyset(arn)
access_key = keyset
secret_key = keyset
token = keyset
region = get_aws_region()
iam_role_name = <Host>
if access_key is None or secret_key is None:
print('No access key is available.')
# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
.... there is more in this def....
Calling client methods to print client list.
get_conjur_iam_session_token(os.environ['CONJUR_APPLIANCE_URL'], os.environ['CONJUR_ACCOUNT'], os.environ['AUTHN_IAM_SERVICE_ID'], os.environ['CONJUR_AUTHN_LOGIN'], os.environ['CONJUR_CERT_FILE'])
conjur_client = create_conjur_iam_client(os.environ['CONJUR_APPLIANCE_URL'], os.environ['CONJUR_ACCOUNT'], os.environ['AUTHN_IAM_SERVICE_ID'], os.environ['CONJUR_AUTHN_LOGIN'], os.environ['CONJUR_CERT_FILE'])
conjur_list = conjur_client.list()
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.