From bcd1d3994ee14bf3974dae574503c1b88e7023b2 Mon Sep 17 00:00:00 2001 From: Michael Tibben Date: Mon, 20 Apr 2020 23:42:26 +1000 Subject: [PATCH 1/4] Add ykman prompt --- USAGE.md | 71 ++++++++++++++++++++++----------------------- prompt/kdialog.go | 4 +-- prompt/osascript.go | 4 +-- prompt/prompt.go | 8 +++-- prompt/terminal.go | 9 ++++-- prompt/ykman.go | 28 ++++++++++++++++++ prompt/zenity.go | 5 ++-- vault/vault.go | 2 +- 8 files changed, 81 insertions(+), 50 deletions(-) create mode 100644 prompt/ykman.go diff --git a/USAGE.md b/USAGE.md index 150406b69..3f01caf65 100644 --- a/USAGE.md +++ b/USAGE.md @@ -19,9 +19,12 @@ * [Assuming a role for more than 1h](#assuming-a-role-for-more-than-1h) * [Being able to perform certain STS operations](#being-able-to-perform-certain-sts-operations) * [Rotating Credentials](#rotating-credentials) +* [Using a Yubikey](#using-a-yubikey) + * [Prerequisites](#prerequisites) + * [Setup](#setup) + * [Usage](#usage) * [Recipes](#recipes) * [Overriding the aws CLI to use aws-vault](#overriding-the-aws-cli-to-use-aws-vault) - * [Using a yubikey as a virtual MFA](#using-a-yubikey-as-a-virtual-mfa) * [An example config to switch profiles via environment variables](#an-example-config-to-switch-profiles-via-environment-variables) @@ -402,56 +405,50 @@ The minimal IAM policy required to rotate your own credentials is: } ``` -## Recipes - -### Overriding the aws CLI to use aws-vault - -If you want the `aws` command to use aws-vault automatically, you can create an overriding script -(make it higher precedence in your PATH) that looks like the below: - -```bash -#!/bin/bash -exec aws-vault exec "${AWS_DEFAULT_PROFILE:-work}" -- /usr/local/bin/aws "$@" -``` - -The exec helps reduce the number of processes that are hanging around. The `$@` passes on the -arguments from the wrapper to the original command. +## Using a Yubikey -### Using a yubikey as a virtual MFA +Yubikeys can be used with AWS Vault via Yubikey's OATH-TOTP support. TOTP is necessary because FIDO-U2F is unsupported on the AWS API. -There's been attempts in the past to support yubikeys natively (#392 , #230) there's another way to go -at this problem. [Newer](https://support.yubico.com/support/solutions/articles/15000006419-using-your-yubikey-with-authenticator-codes) -yubikeys support generating TOTP tokens. +### Prerequisites + 1. [A Yubikey that supports OATH-TOTP](https://support.yubico.com/support/solutions/articles/15000006419-using-your-yubikey-with-authenticator-codes) + 2. `ykman`, the [YubiKey Manager CLI](https://github.com/Yubico/yubikey-manager) tool -In this [blog](https://hackernoon.com/use-a-yubikey-as-a-mfa-device-to-replace-google-authenticator-b4f4c0215f2) you can -find information about this process but it boils down to this. +You can verify these prerequisites by running `ykman info` and checking `OATH` is enabled. -1. Go to AWS and click on add a MFA -2. Choose a virtual device -3. Instead of scanning the code you can get it as text (keep it safe). -4. Install [ykman](https://support.yubico.com/support/solutions/articles/15000012643-yubikey-manager-cli-ykman-user-manual#Introductionmrzmm1) -5. Run this: +### Setup + 1. Log into the AWS web console with your IAM user credentials, and navigate to _My Security Credentials_ + 2. Under _Multi-factor authentivation (MFA)_, click `Manage MFA device` and add a Virtual MFA device + 3. Instead of showing the QR code, click on `Show secret key` and copy the key. + 4. On a command line, run: + ```bash + ykman oath add -t arn:aws:iam::${ACCOUNT_ID}:mfa/${IAM_USERNAME} + ``` + replacing `${ACCOUNT_ID}` with your AWS account ID and `${IAM_USERNAME}` with your IAM username. It will prompt you for a base32 text and you can input the key from step 3. Notice the above command uses `-t` which requires you to touch your YubiKey to generate authentication codes. + 5. Now you have to enter two consecutive MFA codes into the AWS website to assign your key to your AWS login. Just run `ykman oath code arn:aws:iam::${ACCOUNT_ID}:mfa/${IAM_USERNAME}` to get an authentication code. The codes are re-generated every 30 seconds, so you have to run this command twice with about 30 seconds in between to get two distinct codes. Enter the two codes in the AWS form and click `Assign MFA` +### Usage +Using the `ykman` prompt driver, aws-vault will execute `ykman` to generate tokens for any profile in your `.aws/config` using an `mfa_device`. ```bash -ykman oath add YOUR_YUBIKEY_PROFILE -t +aws-vault exec --prompt ykman ${AWS_VAULT_PROFILE_USING_MFA} -- aws s3 ls ``` -It will ask you for a base32 text. Here you can input the text you got in 3. +You can also set the `AWS_VAULT_PROMPT` environment variable to avoid specifying `--prompt` each time. -6. Run this command twice (wait 30 secs in between): -```bash -ykman oath code --single YOUR_YUBIKEY_PROFILE -``` -Input both values as tokens and your device should register as a virtual MFA. +## Recipes +### Overriding the aws CLI to use aws-vault -7. Now if you want to run any aws-vault command you should run this: -```bash -aws-vault exec --mfa-token $(ykman oath code --single ${YOUR_YUBIKEY_PROFILE}) ${YOUR_AWS_VAULT_PROFILE} -- aws s3 ls +If you want the `aws` command to use aws-vault automatically, you can create an overriding script +(make it higher precedence in your PATH) that looks like the below: + +```bash +#!/bin/bash +exec aws-vault exec "${AWS_DEFAULT_PROFILE:-work}" -- /usr/local/bin/aws "$@" ``` -[Here](https://gist.github.com/chtorr/0ecc8fca27a4c5e186c636c262cc4757) There're some helper scripts for this. +The exec helps reduce the number of processes that are hanging around. The `$@` passes on the +arguments from the wrapper to the original command. ### An example config to switch profiles via environment variables diff --git a/prompt/kdialog.go b/prompt/kdialog.go index ec4e9e14a..98d53580c 100644 --- a/prompt/kdialog.go +++ b/prompt/kdialog.go @@ -5,8 +5,8 @@ import ( "strings" ) -func KDialogPrompt(prompt string) (string, error) { - cmd := exec.Command("kdialog", "--inputbox", prompt, "--title", "aws-vault") +func KDialogPrompt(mfaSerial string) (string, error) { + cmd := exec.Command("kdialog", "--inputbox", mfaPromptMessage(mfaSerial), "--title", "aws-vault") out, err := cmd.Output() if err != nil { diff --git a/prompt/osascript.go b/prompt/osascript.go index ebfbc8ba7..660bd8352 100644 --- a/prompt/osascript.go +++ b/prompt/osascript.go @@ -6,12 +6,12 @@ import ( "strings" ) -func OSAScriptPrompt(prompt string) (string, error) { +func OSAScriptPrompt(mfaSerial string) (string, error) { cmd := exec.Command("osascript", "-e", fmt.Sprintf(` display dialog "%s" default answer "" buttons {"OK", "Cancel"} default button 1 text returned of the result return result`, - prompt)) + mfaPromptMessage(mfaSerial))) out, err := cmd.Output() if err != nil { diff --git a/prompt/prompt.go b/prompt/prompt.go index 39100d2f6..a18a0ebaf 100644 --- a/prompt/prompt.go +++ b/prompt/prompt.go @@ -4,9 +4,7 @@ import "fmt" type PromptFunc func(string) (string, error) -var Methods = map[string]PromptFunc{ - "terminal": TerminalPrompt, -} +var Methods = map[string]PromptFunc{} func Available() []string { methods := []string{} @@ -23,3 +21,7 @@ func Method(s string) PromptFunc { } return m } + +func mfaPromptMessage(mfaSerial string) string { + return fmt.Sprintf("Enter token for %s: ", mfaSerial) +} diff --git a/prompt/terminal.go b/prompt/terminal.go index 67d62fd2a..1e2b71862 100644 --- a/prompt/terminal.go +++ b/prompt/terminal.go @@ -7,13 +7,18 @@ import ( "strings" ) -func TerminalPrompt(prompt string) (string, error) { - fmt.Fprint(os.Stderr, prompt) +func TerminalPrompt(mfaSerial string) (string, error) { + fmt.Fprint(os.Stderr, mfaPromptMessage(mfaSerial)) reader := bufio.NewReader(os.Stdin) text, err := reader.ReadString('\n') if err != nil { return "", err } + return strings.TrimSpace(text), nil } + +func init() { + Methods["terminal"] = TerminalPrompt +} diff --git a/prompt/ykman.go b/prompt/ykman.go new file mode 100644 index 000000000..08521875b --- /dev/null +++ b/prompt/ykman.go @@ -0,0 +1,28 @@ +package prompt + +import ( + "fmt" + "os/exec" + "strings" +) + +// YkmanProvider runs ykman to generate a OATH-TOTP token from the Yubikey device +// To set up ykman, first run `ykman oath add` +func YkmanProvider(mfaSerial string) (string, error) { + cmd := exec.Command("ykman", "oath", "code", "-s", mfaSerial) + + out, err := cmd.Output() + if err != nil { + stderr := "" + if ee, ok := err.(*exec.ExitError); ok && len(ee.Stderr) > 0 { + stderr = ":\n" + string(ee.Stderr) + } + return "", fmt.Errorf("ykman: %w%s", err, stderr) + } + + return strings.TrimSpace(string(out)), nil +} + +func init() { + Methods["ykman"] = YkmanProvider +} diff --git a/prompt/zenity.go b/prompt/zenity.go index 882353dfb..bcc43c184 100644 --- a/prompt/zenity.go +++ b/prompt/zenity.go @@ -1,13 +1,12 @@ package prompt import ( - "fmt" "os/exec" "strings" ) -func ZenityPrompt(prompt string) (string, error) { - cmd := exec.Command("zenity", "--entry", "--title=aws-vault", fmt.Sprintf(`--text=%s`, prompt)) +func ZenityPrompt(mfaSerial string) (string, error) { + cmd := exec.Command("zenity", "--entry", "--title", "aws-vault", "--text", mfaPromptMessage(mfaSerial)) out, err := cmd.Output() if err != nil { diff --git a/vault/vault.go b/vault/vault.go index 145f40780..9144cd9b2 100644 --- a/vault/vault.go +++ b/vault/vault.go @@ -46,7 +46,7 @@ func (m *Mfa) GetMfaToken() (*string, error) { if m.MfaPromptMethod != "" { promptFunc := prompt.Method(m.MfaPromptMethod) - token, err := promptFunc(fmt.Sprintf("Enter token for %s: ", m.MfaSerial)) + token, err := promptFunc(m.MfaSerial) return aws.String(token), err } From 2ff5b26d38bc99cfd0b005d86080335b874961a7 Mon Sep 17 00:00:00 2001 From: Michael Tibben Date: Tue, 21 Apr 2020 10:47:14 +1000 Subject: [PATCH 2/4] Use YKMAN_OATH_CREDENTIAL_NAME to override ykman credential --- USAGE.md | 4 +++- prompt/ykman.go | 8 +++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/USAGE.md b/USAGE.md index 3f01caf65..6f65a75cd 100644 --- a/USAGE.md +++ b/USAGE.md @@ -432,7 +432,9 @@ Using the `ykman` prompt driver, aws-vault will execute `ykman` to generate toke ```bash aws-vault exec --prompt ykman ${AWS_VAULT_PROFILE_USING_MFA} -- aws s3 ls ``` -You can also set the `AWS_VAULT_PROMPT` environment variable to avoid specifying `--prompt` each time. +Further config: + - `AWS_VAULT_PROMPT=ykman`: to avoid specifying `--prompt` each time + - `YKMAN_OATH_CREDENTIAL_NAME`: to use an alternative ykman credential ## Recipes diff --git a/prompt/ykman.go b/prompt/ykman.go index 08521875b..ab2a40b81 100644 --- a/prompt/ykman.go +++ b/prompt/ykman.go @@ -2,6 +2,7 @@ package prompt import ( "fmt" + "os" "os/exec" "strings" ) @@ -9,7 +10,12 @@ import ( // YkmanProvider runs ykman to generate a OATH-TOTP token from the Yubikey device // To set up ykman, first run `ykman oath add` func YkmanProvider(mfaSerial string) (string, error) { - cmd := exec.Command("ykman", "oath", "code", "-s", mfaSerial) + yubikeyOathCredName := os.Getenv("YKMAN_OATH_CREDENTIAL_NAME") + if yubikeyOathCredName == "" { + yubikeyOathCredName = mfaSerial + } + + cmd := exec.Command("ykman", "oath", "code", "--single", yubikeyOathCredName) out, err := cmd.Output() if err != nil { From 34e4756151cab0563d480b0217841dac6635d239 Mon Sep 17 00:00:00 2001 From: Michael Tibben Date: Tue, 21 Apr 2020 11:11:05 +1000 Subject: [PATCH 3/4] Output all stderr --- prompt/ykman.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/prompt/ykman.go b/prompt/ykman.go index ab2a40b81..251efcc5c 100644 --- a/prompt/ykman.go +++ b/prompt/ykman.go @@ -16,14 +16,11 @@ func YkmanProvider(mfaSerial string) (string, error) { } cmd := exec.Command("ykman", "oath", "code", "--single", yubikeyOathCredName) + cmd.Stderr = os.Stderr out, err := cmd.Output() if err != nil { - stderr := "" - if ee, ok := err.(*exec.ExitError); ok && len(ee.Stderr) > 0 { - stderr = ":\n" + string(ee.Stderr) - } - return "", fmt.Errorf("ykman: %w%s", err, stderr) + return "", fmt.Errorf("ykman: %w", err) } return strings.TrimSpace(string(out)), nil From 5153ff5893c42d14aaaa09715e20b2e0bb60503a Mon Sep 17 00:00:00 2001 From: Michael Tibben Date: Tue, 21 Apr 2020 21:48:26 +1000 Subject: [PATCH 4/4] Add logging --- prompt/ykman.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/prompt/ykman.go b/prompt/ykman.go index 251efcc5c..b4bf80507 100644 --- a/prompt/ykman.go +++ b/prompt/ykman.go @@ -2,6 +2,7 @@ package prompt import ( "fmt" + "log" "os" "os/exec" "strings" @@ -15,6 +16,7 @@ func YkmanProvider(mfaSerial string) (string, error) { yubikeyOathCredName = mfaSerial } + log.Printf("Fetching MFA code using `ykman oath code --single %s`", yubikeyOathCredName) cmd := exec.Command("ykman", "oath", "code", "--single", yubikeyOathCredName) cmd.Stderr = os.Stderr