How to look for an access key in AWS. Find the account.
$ aws sts get-access-key-info --access-key-id AKIA8XXXXXXXXXXXXXXX { "Account": "XXXXXXXXXXXX" } |
key
Allow Key Access for user in SSH
Allow shared key access only for one user in SSH.
Disable the password authentication for one user in your SSH config. Edit /etc/ssh/sshd_config.
Match User username PasswordAuthentication no |
Restart the SSH service.
service ssh restart |
Copy user’s public key to the destination server’s authorized file in ~/.ssh/authorized_keys.
ssh-rsa AAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx <-- public key goes on for miles |
Back on your client, login via SSH. User will not be prompted for password since public key is already authorized on server.
ssh username@server |
GCP Activate Service Account
How to activate a GCP service account for other users in Linux.
First generate a key for the service account. Save as key.json.
Login to the server as that user and copy the key there. Activate the service account.
$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json |
Once authenticated, you should be able to check if service account is active.
$ gcloud config list |
A better option without needing a key.
gcloud config set core/account service-account@project-id.iam.gserviceaccount.com |
Cross Account KMS keys
If you have multiple AWS accounts, you can setup a customer-managed KMS (key management service) in the AWS Key Management Service, to secure requests or services between the two AWS accounts. The customer-managed KMS key is tied to an identity such as an IAM user or role. In addition to users and roles, other AWS accounts can be added to grant access. KMS can be symmetric or asymmetric. It’s symmetric be default. To grant access to the other account, you need to add the AWS Account Id to the key. It’s 12 digit number unique to each AWS account.
Once a key is created, the valid key ID can be used in a AWS SDK to access resources from the other AWS account.
EFS Encryption
If you have an existing EFS that’s unencrypted, you can encrypt it be creating a snapshot using AWS Backup, and then restoring the file system to a new EFS with encryption. If you choose to restore in a directory in the same file system, it will not be encrypted. It has to be a new EFS. In addition, you’ll be asked to select which encryption key to use. The default key will work, unless you have your own.
SCP with a Key
SCP is a secure copy utility in Linux. You’ll need access to your system. In this example, a pem key is used to authenticate to a host. SCP copies filename.ext to the home directory of ec2-user. It’s important to add the target directory, otherwise it will not work.
Here’s how to use SCP with a key from local to server.
scp -i key.pem filename.ext user@server:/home/user |
From server to local. Run the command from local machine.
scp user@server:/home/user/file.txt /local/directory |
Copy SSH Key to Server
Here’s the command to copy a secret key to a remote server.
ssh-copy-id user@servername |
This assumes you already generated a key.
AWS CLI Add User
Here’s how to add an AWS user using the CLI.
aws iam create-user --user-name john.doe \ --tags Key='Name',Value='John Doe' Key='Role',Value='Admin' |
Create an access key for the user.
aws iam create-access-key --user-name john.doe |