• Skip to main content

Uly.me

cloud engineer

  • Home
  • About
  • Archives

keys

GCP Monitor Service Account

February 24, 2022

You can monitor the success or failure of a service account in GCP.

gcloud policy-intelligence query-activity \
--activity-type=ACTIVITY_TYPE \ 
--project=PROJECT_ID \
--limit=LIMIT

gcloud policy-intelligence query-activity \ --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID \ --limit=LIMIT

The two options you can use for ACTIVITY_TYPE are:

  • serviceAccountKeyLastAuthentication
  • serviceAccountLastAuthentication

Filed Under: Cloud Tagged With: gcp, keys, monitor, service account

Saml2aws

February 14, 2022

Use Saml2Aws CLI as an alternative to SAML to AWS STS Key Conversion.

Install on Mac.

brew install saml2aws
saml2aws --version

brew install saml2aws saml2aws --version

Configure. Provide information.

saml2aws configure

saml2aws configure

It will create a ~/.saml2aws config file. Set session to 8 hours.

aws_session_duration    = 28800

aws_session_duration = 28800

Login.

saml2aws login

saml2aws login

After authentication and/or MFA, your ~/.aws/credentials will be updated.

Filed Under: Linux, Mac Tagged With: aws, integration, keys, saml, saml2aws, sessions, sts

GCP List Keys of Service Account

January 26, 2022

How to list all the keys of a GCP service account.

gcloud iam service-accounts keys list \
--iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \
--project project-id

gcloud iam service-accounts keys list \ --iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \ --project project-id

Result. Keys are redacted.

KEY_ID                                    CREATED_AT            EXPIRES_AT            DISABLED
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  2022-01-10T19:21:18Z  2022-01-26T19:21:18Z
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  2022-01-19T00:06:49Z  2022-02-04T00:06:49Z

KEY_ID CREATED_AT EXPIRES_AT DISABLED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-10T19:21:18Z 2022-01-26T19:21:18Z xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-19T00:06:49Z 2022-02-04T00:06:49Z

Filed Under: Cloud Tagged With: gcp, keys, list, service account

AWS IAM Self Manage Policy

July 28, 2020

Here’s the permission needed for an AWS user to manage their own IAM account. The policy allows them to view their own account information, change their own passwords, rotate access keys and certificates, and manage their own git credentials.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }

Filed Under: Cloud Tagged With: access, account, aws, certificates, change, credentials, git, iam, keys, manage, password, rotate

EC2 Password Authentication

May 18, 2020

When you stand up an AWS instance, it’s only accessible via SSH key using the default user, typically ec2-user.

Add password to ec2-user, then enable password authentication to ‘yes’ in SSH.

# Add password to ec2-user
sudo passwd ec2-user
# edit ssh config
vim /etc/ssh/sshd_config
# enable password authentication
PasswordAuthentication yes
# save file and exit

# Add password to ec2-user sudo passwd ec2-user # edit ssh config vim /etc/ssh/sshd_config # enable password authentication PasswordAuthentication yes # save file and exit

Restart SSH service.

systemctl restart sshd.service

systemctl restart sshd.service

Filed Under: Cloud, Linux Tagged With: authentication, aws, ec2, keys, password, ssh

S3 Browser IAM Assume Role

April 12, 2020

S3 Browser is a free Windows client for accessing AWS S3 buckets. You can access S3 buckets with an interface similar to File Manager. A typical setup requires that you use access and secret keys to connect to the S3 browser. However, if the server is in the cloud, it’s better that use a machine profile with an assume role. The assume role gets temporary credentials until they expire. They are automatically rotated by AWS behind the scenes for you. This is much safer process than storing key credentials in the cloud. The good news is, S3 Browser support IAM assume roles. Here’s the setup instructions to get your S3 Browser configured using IAM assume role. Here’s IAM role explained.

Filed Under: Cloud Tagged With: assume, browser, iam, keys, role, s3

IAM List Access Keys

January 14, 2020

Here’s how to list all the access keys in AWS via Python.

import logging
import boto3
from botocore.exceptions import ClientError
 
# set aws profile
session = boto3.Session(profile_name="default")
 
# get list of users
 
iam = session.client('iam')
users = iam.list_users()
 
# display results
print("{0:<20} {1:<25} {2:<15} {3:<10}".format('UserName', 'AccessKey', 'Status', 'CreateDate'))
print("----------------------------------------------------------------------------------------")
 
for a in users['Users']:
    user = a['UserName']
    # get keys
    keys = iam.list_access_keys(UserName=user)
    for b in keys['AccessKeyMetadata']:
        username = b['UserName']
        accesskeyid = b['AccessKeyId']
        status = b['Status']
        createdate = str(b['CreateDate'])
        print("{0:<20} {1:<25} {2:<15} {3:<10}".format(username, accesskeyid, status, createdate))

import logging import boto3 from botocore.exceptions import ClientError # set aws profile session = boto3.Session(profile_name="default") # get list of users iam = session.client('iam') users = iam.list_users() # display results print("{0:<20} {1:<25} {2:<15} {3:<10}".format('UserName', 'AccessKey', 'Status', 'CreateDate')) print("----------------------------------------------------------------------------------------") for a in users['Users']: user = a['UserName'] # get keys keys = iam.list_access_keys(UserName=user) for b in keys['AccessKeyMetadata']: username = b['UserName'] accesskeyid = b['AccessKeyId'] status = b['Status'] createdate = str(b['CreateDate']) print("{0:<20} {1:<25} {2:<15} {3:<10}".format(username, accesskeyid, status, createdate))

Filed Under: Cloud, Linux Tagged With: aws, boto3, cli, create, iam, keys, list, python, time, user

AWS CLI IAM Keys

December 20, 2019

Here’s a few commands to create, delete and disable AWS user keys.

List user keys.

aws iam list-access-keys --user-name john.doe

aws iam list-access-keys --user-name john.doe

Create access key. Results are printed on screen in JSON format.

aws iam create-access-key --user-name john.doe

aws iam create-access-key --user-name john.doe

Disable a key. The real key id is obfuscated.

aws iam update-access-key \
--access-key-id ******************** \
--status Inactive \
--user-name john.doe

aws iam update-access-key \ --access-key-id ******************** \ --status Inactive \ --user-name john.doe

Delete a key. They real key id is obfuscated.

aws iam delete-access-key \
--access-key-id ******************** \
--user-name john.doe

aws iam delete-access-key \ --access-key-id ******************** \ --user-name john.doe

Filed Under: Cloud Tagged With: aws, cli, create, delete, disable, iam, keys

  • Home
  • About
  • Archives

Copyright © 2023