Automating third party access to AWS Resources - amazon-web-services

I'm currently creating an open source web interface for a very CPU intensive task that's making use of other open source projects. Because it is very simple and I want to keep it open source, I don't want to bother with a revenue scheme supporting it. My plan currently is to host the site in an S3 bucket and have some simple lambda functions managing the execution delegation to the client his AWS account.
My question is, is it possible to grant access to somebody his AWS account, similar to how it works with OAuth 2.0. In an ideal world, I'd like them to see a big "authorize" button redirecting them to AWS, listing the permissions and having a confirm or deny button. Trust issues aside, this is the only resource I could find and it looks quite cumbersome for somebody to authorize my app which in essence will only perform computations on their AWS EC2 account.

Actually, cross account access using IAM roles is absolutely the best way to do this. The docs have all the info you would need. It can be very simple for your user. The set up instructions for Spotinst, a third party AWS service provider, demonstrate how simple it can be. They have it in four steps:
Connect Spotinst to your Cloud Provider:
Click on the "Open template in Cloudformation" button and follow the instructions. Make sure to not refresh or leave this page until
you save your credentials.
Paste the Role ARN that was created.
Click on the "Connect account" button.
If you try it out I think you'll find it to be even easier than adding oauth to your service.

Related

Google cloud function deployment vs runtime permissions

I am paranoid about security and this makes no sense to me. I must be missing something here. I can get it working no problems. But I want to know why? What is the philosophy behind it? and how am I protected?
I wrote a google cloud function that receives a post request and publishes an event to a google pubsub topic. I've set up my topic pubsub resource and set up an iam binding so that only my functions service account can publish to that channel - that is all good.
However, it does not let me deploy (using gcloud functions deploy --service-account=...) my function with that service account. Says it does not have secretAccessor and and deploymentManager.editor and cloudfunctions.developer etc
My confusion is...why should it need development/deployment related permissions? I am deploying the function and I have those permissions. So it should use my permissions to deploy. But when the function is actually running, I dont want it to have those development/deployment management permissions in case there is some vulnerability that can be exploited. I want it to run as the service account I specify. It needs to be restricted to only the permissions related to receiving request and publishing to my topic. Otherwise it would break the principle of having least privileges.
When you create a service such as Functions, Run, or Compute Engine, you, as the deployer, need two types of permissions:
Permission to create the service
Permission to assign an existing identity (aka service account) to the service.
The service typically needs an identity (service account) with appropriate permissions. The permissions are the ones required for the service to access other services and resources. This service runs independently of the identity that created the service.
Two identities and two sets of permissions to manage. That means your goal of least privilege can be achieved.
My confusion is...why should it need development/deployment related
permissions?
I do not know because your question does not have the details required to answer. The error you posted does not make sense in the context described. I am not aware of any instance where, for example, deploying a Function requires Deployment Manager Editor for the Function's identity. The function itself might need that IAM role, but the deployment command does not nor does the deployment command even know which permissions the function requires except for those derived by the command line flags.
If you need more help on this, edit your question to clearly describe both identities and IAM roles, the deployment, which resources are accessed, and how you are deploying. Include the actual commands and error messages.

What is the correct GCP user role that I should assign to my external website developer?

Hi Google Cloud Platform (GCP) experts!
I am in the process of developing my own website. My external website developer has requested an access to GCP to use the Translation API for language localization and for other things like Google Sign in & Sign up,...etc.
Now, I have created the organization with domain registration. However, I am not sure what is the most secure way to ensure that the developer can develop the projects with the APIs needed without having too many permissions or being able to see the billing data.
Please advise what will be the best permissions/role/user to be assigned to my website developer?
Thank you and best regards,
Ali
Following Google Best practices for role recommendations, you should grant the minimum role level to execute the work. If your developer only need access to the Translation API, you can grant his account with this role: Cloud Translation API Editor.
If you want him to have full access to the Cloud Translation resources, you can gran him the Cloud Translation API Admin.
In case you have more than one developer and they all need the same permissions, you can create an IAM group, add the developer's mails to the group and assign the necessary roles to it.
You can read more about roles here: https://cloud.google.com/iam/docs/understanding-roles.
There are many strategies to implement. I will recommend one.
Step 1: Project Separation
Create a separate project for the website developer. His development work should be published in that project. Once tested and validated release to the production project. See Step 4 below for implementing source code control and CI/CD.
Create a separate DNS zone for the developer. An example might be dev.example.com. Depending on the Google Cloud service that you are using, such as Compute Engine, you can lock down access to the endpoint with VPC Firewall rules so that only specific IP addresses can access the development website. Customer will not be able to see work in progress.
Step 2: OAuth Client ID
To grant the ability to create OAuth Client IDs requires several permissions. I recommend creating a custom role with these permissions. Attach the custom role to the developer's identity.
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
Another option, which is more secure, is to create the OAuth Client ID yourself and provide the developer with the Client ID and Client Secret.
Step 3: Translation APIs
You have several options. I recommend granting the Cloud Translation API Editor role to the developer.
Translation IAM Roles
Step 4: Source Code Repository and CI/CD
I recommend that you create a GitHub repository, put the project under source code control. Implement GitHub Actions to automatically build, test and deploy code releases. Grant the developer the ability to push updates to the repository. GitHub Actions Workflows would automatically build, test and deploy the code to the developer project. The best option is to create a GitHub Organization account so that you have extended user management.

How to get AWS access credentials with login?

My requirement is to access some AWS APIs from a mobile application(Written in flutter). Currently how I have done it is by creating an IAM user with only the permissions required and using the access credentials of that user I sign my APIs.
What I am looking to do is instead of storing these credentials with in my app. Is there a way to use some sort of sign in mechanism to obtain some credentials and use those for signing my APIs?
Update 1:
To add more context. This is purely a hobby project and mostly for personal use. And for my use case storing credentials with in application is more than enough. Anyway I have intention to publish it as an open source project and I want to add a better way to handle this. Currently am not storing any credential in my code but am adding it as a an ENV during build process.
I think I would be able to handle this if I create my own backend to generate temporary credentials. But if there is some other standard solution out there I would like to utilize that.
Storing credentials in an application is an antipattern, and AWS provides features that prevent the need for you to do so.
Two alternatives off the top of my head.
The most obvious of these is AWS IAM Instance Profiles. These permit you to bind IAM permissions to an EC2. Any application or service on this ec2 is then permitted to perform the actions permitted by the IAM profile bound to the Instance Profile.
If you are running your application in EKS, you can leverage IRSA to bind IAM permissions to a service-account in the EKS cluster.
I assume you're running your service on EC2, and that therefore the InstanceProfile approach is easiest.

AWS Mechanical Turk with Multi Factor Authentication (MFA)

We use Multi Factor Authentication to protect our accounts. We login via https://My_AWS_Account_ID.signin.aws.amazon.com/console/
We want to try Amazon Mechanical Turk, however, nobody can log in at https://requestersandbox.mturk.com/ to create accounts. IAM permissions are set up but we still get AWS.MechanicalTurk.MustRegister when using the API to post hits.
Mechanical Turk supports IAM in the Requester API, but does not support it in the Requester User Interface found at http://requester.mturk.com. That's probably the root cause of the first issue you're experiencing.
In terms of the MustRegister error you're seeing in Sandbox when you post HITs, I'd suggest you start by calling GetAccountBalance. It's a read-only method that takes no parameters, and removes the risk that you're having an error in publish or somewhere else in the process. In other words, it's an API call that should always "just work."
If that's not the issue, I'd confirm that the GetAccountBalance does actually work in the MTurk production environment (the endpoint at mechanicalturk.amazonaws.com).
If GetAccountBalance works in neither, this would suggest the IAM credentials are not setup correctly. The most important things to verify are that (a) you're actually using the right IAM access key and secret key, and (b) that the IAM account you're using has the correct policies attached. On (b), make sure that on the AWS IAM Policies page, you choose AmazonMechanicalTurkFullAccess or AmazonMechanicalTurkReadOnly. At the top of that page, you must choose Attach to ensure they're attached to the right account.
I hope that helps.

Creating custom AWS IAM actions

Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.
I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).
As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.
I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.
The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.
You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.
Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources.
If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.
connect-on-premise-python-application-with-aws
The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.
Consider placing API Gateway in front of your Python app's routes.
Then you could control access using IAM.