Coder Social home page Coder Social logo

ephemeral-iam's Introduction

Ephemeral IAM

A CLI tool that utilizes service account token generation to enable users to temporarily authenticate gcloud commands as a service account. The intended use-case for this tool is to restrict the permissions that users are granted by default in their GCP organization while still allowing them to complete management tasks that require escalated permissions.

Notice: Ephemeral IAM requires granting users the Service Account Token Generator role and does not include any controls to prevent users from using these privileges in contexts outside of Ephemeral IAM in its current state. For more information on Ephemeral IAM's security considerations, refer to the security considerations document.

FAQ

Why not just use --impersonate-service-account?

There are several reasons why you would use ephemeral-iam in favor of --impersonate-service-account. Here are a few of note:

  • With the assume-privileges command you can start a privileged session and run commands as the service account without needing to provide the --impersonate-service-account flag each time
  • Using ephemeral-iam you can enhance audit logging by adding fields to audit logs using the request_reason request attribute. For example, you could configure an alert to trigger when a service account token is generated and no request_reason field is provided.
  • ephemeral-iam enforces session length restrictions to limit users to only impersonate a service account for 10 min at a time before needing to generate a new OAuth token.
  • This tool provides some QoL features such as being able to list the service accounts that you can impersonate and being able to query your permissions on GCP resources
  • When you run gcloud container clusters get-credentials CLUSTER --impersonate-service-account SA_EMAIL, a new kubeconfig entry is generated and persisted on your filesystem. However, ephemeral-iam does not persist privileged kubeconfig entries to the filesystem for added security.

Conceptual Overview

This section explains the basic process that happens when running the eiam assume-privileges command.

Ephemeral IAM uses the projects.serviceAccounts.generateAccessToken method to generate OAuth 2.0 tokens for service accounts which are then used in subsequent API calls. When a user runs the assume-privileges command, eiam makes a call to generate an OAuth 2.0 token for the specified service account that expires in 10 minutes.

If the token was successfully generated, eiam then starts an HTTPS proxy on the user's localhost. To enable the handling of HTTPS traffic, a self-signed TLS certificate is generated for the proxy and stored for future use.

Next, the active gcloud config is updated to forward all API calls through the local proxy.

Example updated configuration fields:

[core]
  custom_ca_certs_file: [/path/to/eiam/config_dir/server.pem]
[proxy]
  address: [127.0.0.1]
  port: [8084]
  type: [http]

For the duration of the privileged session (either until the token expires or when the user manually stops it with CTRL-C), all API calls made with gcloud will be intercepted by the proxy which will replace the Authorization header with the generated OAuth 2.0 token to authorize the request as the service account.

Once the session is over, eiam gracefully shuts down the proxy server and reverts the users gcloud config to its original state.

Installation

Instructions on how to install the eiam binary can be found in INSTALL.md.

Getting Started

Help Commands

The root eiam invocation and each of its sub-commands have their own help commands. These commands can be used to gather more information about a command and to explore the accepted arguments and flags.

Top-level --help

 $ eiam --help

╭────────────────────────────────────────────────────────────╮
│                                                            │
│                        Ephemeral IAM                       │
│  ──────────────────────────────────────────────────────    │
│  A CLI tool for temporarily escalating GCP IAM privileges  │
│  to perform high privilege tasks.                          │
│                                                            │
│      https://github.com/jessesomerville/ephemeral-iam      │
│                                                            │
╰────────────────────────────────────────────────────────────╯


╭────────────────────── Example usage ───────────────────────╮
│                                                            │
│                   Start privileged session                 │
│  ──────────────────────────────────────────────────────    │
│  $ eiam assumePrivileges \                                 │
│      -s [email protected] \   │
│      --reason "Emergency security patch (JIRA-1234)"       │
│                                                            │
│                                                            │
│                                                            │
│                     Run gcloud command                     │
│  ──────────────────────────────────────────────────────    │
│  $ eiam gcloud compute instances list --format=json \      │
│      -s [email protected] \       │
│      -R "Reason"                                           │
│                                                            │
╰────────────────────────────────────────────────────────────╯

Usage:
  eiam [command]

Available Commands:
  assume-privileges     Configure gcloud to make API calls as the provided service account [alias: priv]
  config                Manage configuration values
  gcloud                Run a gcloud command with the permissions of the specified service account
  help                  Help about any command
  kubectl               Run a kubectl command with the permissions of the specified service account
  list-service-accounts List service accounts that can be impersonated [alias: list]
  query-permissions     Query current permissions on a GCP resource

Flags:
  -h, --help   help for eiam
  -y, --yes    Assume 'yes' to all prompts

Use "eiam [command] --help" for more information about a command.

Sub-command --help

 $ eiam assume-privileges --help

The "assume-privileges" command fetches short-lived credentials for the provided service Account
and configures gcloud to proxy its traffic through an auth proxy. This auth proxy sets the
authorization header to the OAuth2 token generated for the provided service account. Once
the credentials have expired, the auth proxy is shut down and the gcloud config is restored.

The reason flag is used to add additional metadata to audit logs.  The provided reason will
be in 'protoPayload.requestMetadata.requestAttributes.reason'.

Usage:
  eiam assume-privileges [flags]

Aliases:
  assume-privileges, priv

Examples:

eiam assume-privileges \
  --service-account-email [email protected] \
  --reason "Emergency security patch (JIRA-1234)"

Flags:
  -h, --help                         help for assume-privileges
  -p, --project string               The GCP project. Inherits from the active gcloud config by default (default "rigup-sandbox")
  -R, --reason string                A detailed rationale for assuming higher permissions
  -s, --service-account-email string   The email address for the service account

Global Flags:
  -y, --yes   Assume 'yes' to all prompts

Tutorial

To better familiarize yourself with ephemeral-iam and how it works, you can follow the tutorial provided in the documentation.

ephemeral-iam's People

Contributors

actions-user avatar jessesomerville avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.