Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow custom token expiration #19

Open
mpender opened this issue Aug 13, 2020 · 3 comments
Open

Allow custom token expiration #19

mpender opened this issue Aug 13, 2020 · 3 comments

Comments

@mpender
Copy link

mpender commented Aug 13, 2020

Instead of the hardcoded 1 hour token expiration time is it possible to have cloudgate query token expiration from a given role instead?

https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/
https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_temp_request.html

That way not every role used by cloudgate is governed by a single expiration time and can allow each account/role-owner to have granular controls over token expiration
@rgooch
Copy link
Member

rgooch commented Aug 13, 2020

Creating a global configuration option to change the token length would be simple enough. Making the configuration more granular poses some challenges:

  • how to expose the configuration without complicating the WebUI
  • how to express different timeouts for different accounts or roles in cg-client
  • change the STS refresh interval for different account/role combinations

What is your use-case? If you are seeking to increase the STS token lifetimes then there is another issue: how to quickly revoke user access. One of the first questions I get from auditors or managers is how to revoke access quickly. Currently, STS tokens are 1 hour and this generally seems to be fast enough. If a user has an STS token which lasts 12 hours, this is more concerning if there is a perceived risk to the user retaining access for that long.

@mpender
Copy link
Author

mpender commented Aug 14, 2020

This request comes directly from some of our users who cannot use a dedicated IAM user account/instance role and must use CloudGate.

This PR is to see how feasible or how much of a security-hole it would be to have a configuration flag in the static-config.yml where admins can set a flag to have CG either continue to enforce the IAM role of 1hr (default) or respect the maximum token expiration as defined by the IAM role when CG looks it up.

Having a maximum flag to check against the default user_defined_limit
if > default 1hr and < user_defined_limit (lets 4 hours), issue token. So no 12 hr tokens can get though and users can have extra time with tokens.

"how to expose the configuration without complicating the WebUI"
this is something to have in the cloudgate static-config.yml only, the user doesnt need to see this.

"how to express different timeouts for different accounts or roles in cg-client"
Anything with a default limit could continue to auto-refresh, add another flag to enable refresh custom STS tokens ? similar to how you have to specify getting tokens for Admin roles using cg-client

For the overall security and integrity of this, I agree, having a way to kill tokens is important. That said, AWS account admins should be aware regardless if they use CG or not is of how to revoke tokens using something like this https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html (Granted I have not tested this myself with CG generated tokens but I assume it would work).

I am not expecting CG to have this kill feature, this is about proposing custom token lengths or at least altering the hard limit.

@mpender
Copy link
Author

mpender commented Sep 25, 2020

Any more thoughts on this ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgooch @mpender