[ad_1]
Organizations present process cloud migrations and enterprise transformations typically discover themselves managing IT operations in hybrid or multicloud environments. This will make it extra complicated to safeguard workloads, purposes, and knowledge, and to securely deal with identities and permissions throughout Amazon Net Companies (AWS), hybrid, and multicloud setups.
On this publish, we present you how you can assume an AWS Id and Entry Administration (IAM) position in your AWS accounts to securely problem short-term credentials for purposes that run on the Google Cloud Platform (GCP). We additionally current greatest practices and key concerns on this authentication stream. Moreover, this publish offers references to supplementary GCP documentation that supply extra context and supply steps related to setup on GCP.
Entry management throughout safety realms
As your multicloud atmosphere grows, managing entry controls throughout suppliers turns into extra complicated. By implementing the best entry controls from the start, you possibly can assist scale your cloud operations successfully with out compromising safety. Whenever you deploy apps throughout a number of cloud suppliers, you need to implement a homogenous and constant authentication and authorization mechanism throughout each cloud environments, to assist preserve a safe and cost-effective atmosphere. Within the following sections, you’ll discover ways to implement such targets throughout AWS and workloads hosted on GCP, as proven in Determine 1.
Stipulations
To comply with together with this walkthrough, full the next stipulations.
Create a service account in GCP. Assets in GCP use service accounts to make API calls. Whenever you create a GCP useful resource, similar to a compute engine occasion in GCP, a default service account will get created robotically. Though you should utilize this default service account within the answer described on this publish, we suggest that you just create a devoted user-managed service account, as a result of you possibly can management what permissions to assign to the service account inside GCP.
To study extra about greatest practices for service accounts, see Greatest practices for utilizing service accounts within the Google documentation. On this publish, we use a GCP digital machine (VM) occasion for demonstration functions. To connect service accounts to different GCP sources, see Connect service accounts to sources.
Create a VM occasion in GCP and fix the service account that you just created in Step 1. Assets in GCP retailer their metadata info in a metadata server, and you may request an occasion’s id token from the server. You’ll use this id token within the authentication stream later on this publish.
Set up the AWS Command Line Interface (AWS CLI) on the GCP VM occasion that you just created in Step 2.
Set up jq and curl.
GCP VM id authentication stream
Acquiring short-term AWS credentials for workloads that run on GCP is a multi-step course of. On this stream, you utilize the id token from the GCP compute engine metadata server to name the AssumeRoleWithWebIdentity API to request AWS short-term credentials. This stream provides your software larger flexibility to request credentials for an IAM position that you’ve got configured with a ample belief coverage, and the corresponding Amazon Useful resource Title (ARN) for the IAM position should be identified to the applying.
Outline an IAM position on AWS
As a result of AWS already helps OpenID Join (OIDC) federation, you should utilize the OIDC token offered in GCP as described in Step 2 of the Stipulations, and also you don’t have to create a separate OIDC supplier in your AWS account. As an alternative, to create an IAM position for OIDC federation, comply with the steps in Creating a job for net id or OpenID Join Federation (console). Utilizing an OIDC principal with no situation may be overly permissive. To be sure that solely the supposed id supplier assumes the position, it’s essential present a StringEquals situation within the belief coverage for this IAM position. Add the situation keys accounts.google.com:aud, accounts.google.com:oaud, and accounts.google.com:sub to the position’s belief coverage, as proven within the following.
Be sure that to interchange the <placeholder values> together with your values from the Google ID Token. The ID token issued for the service accounts has the azp (AUTHORIZED_PARTY) area set, so situation keys are mapped to the Google ID Token fields as follows:
accounts.google.com:oaud situation key matches the aud (AUDIENCE) area on the Google ID token.
accounts.google.com:aud situation key matches the azp (AUTHORIZED_PARTY) area on the Google ID token.
accounts.google.com:sub situation key matches the sub (SUBJECT) area on the Google ID token.
For extra details about the Google aud and azp fields, see the Google Id Platform OpenID Join information.
Authentication stream
The authentication stream for the situation is proven in Determine 2.
The authentication stream has the next steps:
On AWS, you possibly can supply exterior credentials by configuring the credential_process setting within the config file. For the syntax and working system necessities, see Supply credentials with an exterior course of. For this publish, we’ve got created a customized profile TeamA-S3ReadOnlyAccess as follows within the config file:
To make use of totally different settings, you possibly can create and reference extra profiles.
Specify a program or a script that credential_process will invoke. For this publish, credential_process invokes the script /choose/bin/credentials.sh which has the next code. Be sure that to interchange <111122223333> with your individual account ID.
The script performs the next steps:
Google generates a brand new distinctive occasion id token within the JSON Net Token (JWT) format.
The payload of the token contains a number of particulars in regards to the occasion and the viewers URI, as proven within the following.
The IAM belief coverage makes use of the aud (AUDIENCE), azp (AUTHORIZED_PARTY) and sub (SUBJECT) values from the JWT token to assist be sure that the IAM position outlined within the part Outline an IAM position in AWS may be assumed solely by the supposed GCP service account.
The script invokes the AssumeRoleWithWebIdentity API name, passing within the id token from the earlier step and specifying which IAM position to imagine. The script makes use of the Id topic declare because the session title, which may facilitate auditing or forensic operations on this AssumeRoleWithWebIdentity API name. AWS verifies the authenticity of the token earlier than returning short-term credentials. As well as, you possibly can confirm the token in your credential program through the use of the method described at Acquiring the occasion id token.
The script then returns the short-term credentials to the credential_process because the JSON output on STDOUT; we used jq to parse the output within the desired JSON format.
The next is an instance of short-term credentials returned by the credential_process script:
Word that AWS SDKs retailer the returned AWS credentials in reminiscence after they name credential_process. AWS SDKs maintain monitor of the credential expiration and generate new AWS session credentials by the credential course of. In distinction, the AWS CLI doesn’t cache exterior course of credentials; as an alternative, the AWS CLI calls the credential_process for each CLI request, which creates a brand new position session and will lead to slight delays whenever you run instructions.
Check entry within the AWS CLI
After you configure the config file for the credential_process, confirm your setup by working the next command.
The output will look much like the next.
Amazon CloudTrail logs the AssumeRoleWithWebIdentity API name, as proven in Determine 3. The log captures the viewers within the id token in addition to the IAM position that’s being assumed. It additionally captures the session title with a reference to the Id topic declare, which may help simplify auditing or forensic operations on this AssumeRoleWithWebIdentity API name.
Check entry within the AWS SDK
The subsequent step is to check entry within the AWS SDK. The next Python program exhibits how one can confer with the customized profile configured for the credential course of.
Earlier than you run this program, run pip set up boto3. Create an IAM position that has the AmazonS3ReadOnlyAccess coverage connected to it. This program prints the names of the prevailing S3 buckets in your account. For instance, in case your AWS account has two S3 buckets named DOC-EXAMPLE-BUCKET1 and DOC-EXAMPLE-BUCKET2, then the output of the previous program exhibits the next:
If you happen to don’t have an present S3 bucket, then create an S3 bucket earlier than you run the previous program.
The list_bucket API name can be logged in CloudTrail, capturing the id and supply of the calling software, as proven in Determine 4.
Clear up
If you happen to don’t have to additional use the sources that you just created for this walkthrough, delete them to keep away from future prices for the deployed sources:
Delete the VM occasion and repair account created in GCP.
Delete the sources that you just provisioned on AWS to check the answer.
Conclusion
On this publish, you discovered how you can change the id token of a digital machine working on a GCP compute engine to imagine a job on AWS, in an effort to seamlessly and securely entry AWS sources from GCP hosted workloads.
We walked you thru the steps required to arrange the credential course of and shared greatest practices to contemplate on this authentication stream. It’s also possible to apply the identical sample to workloads deployed on GCP features or Google Kubernetes Engine (GKE) after they request entry to AWS sources.
When you’ve got suggestions about this publish, submit feedback within the Feedback part beneath. When you’ve got questions on this publish, contact AWS Help.
Need extra AWS Safety information? Comply with us on Twitter.
[ad_2]
Source link