Improve bearer token support

- Configure the bearer token in the SecureStore
- Document using ssh with aws-sso and ECS Server
- Bump to v1.17.0

Fixes: #915

Makefile

@@ -1,4 +1,4 @@
-PROJECT_VERSION := 1.16.1
+PROJECT_VERSION := 1.17.0
 DOCKER_REPO     := synfinatic
 PROJECT_NAME    := aws-sso
 

cmd/aws-sso/ecs_client_cmd.go

@@ -32,7 +32,9 @@ import (
 	"github.com/synfinatic/gotable"
 )
 
-type EcsListCmd struct{}
+type EcsListCmd struct {
+	Auth string `kong:"help='Full HTTP Authorization token to use for ECS Server',env='AWS_CONTAINER_AUTHORIZATION_TOKEN'"`
+}
 
 type EcsLoadCmd struct {
 	// AWS Params
@@ -42,15 +44,18 @@ type EcsLoadCmd struct {
 	Profile   string `kong:"short='p',help='Name of AWS Profile to assume',predictor='profile',xor='account,role'"`
 
 	// Other params
-	Port    int  `kong:"help='TCP port of aws-sso ECS Server',env='AWS_SSO_ECS_PORT',default=4144"` // SEE ECS_PORT in ecs_cmd.go
-	Slotted bool `kong:"short='s',help='Load credentials in a unique slot using the ProfileName as the key'"`
+	Auth    string `kong:"help='Full HTTP Authorization token to use for ECS Server',env='AWS_CONTAINER_AUTHORIZATION_TOKEN'"`
+	Port    int    `kong:"help='TCP port of aws-sso ECS Server',env='AWS_SSO_ECS_PORT',default=4144"` // SEE ECS_PORT in ecs_cmd.go
+	Slotted bool   `kong:"short='s',help='Load credentials in a unique slot using the ProfileName as the key'"`
 }
 
 type EcsProfileCmd struct {
-	Port int `kong:"help='TCP port of aws-sso ECS Server',env='AWS_SSO_ECS_PORT',default=4144"`
+	Auth string `kong:"help='Full HTTP Authorization token to use for ECS Server',env='AWS_CONTAINER_AUTHORIZATION_TOKEN'"`
+	Port int    `kong:"help='TCP port of aws-sso ECS Server',env='AWS_SSO_ECS_PORT',default=4144"`
 }
 
 type EcsUnloadCmd struct {
+	Auth    string `kong:"help='Full HTTP Authorization token to use for ECS Server',env='AWS_CONTAINER_AUTHORIZATION_TOKEN'"`
 	Port    int    `kong:"help='TCP port of aws-sso ECS Server',env='AWS_SSO_ECS_PORT',default=4144"`
 	Profile string `kong:"short='p',help='Name of AWS Profile to unload',predictor='profile'"`
 }
@@ -69,7 +74,7 @@ func (cc *EcsLoadCmd) Run(ctx *RunContext) error {
 }
 
 func (cc *EcsProfileCmd) Run(ctx *RunContext) error {
-	c := client.NewECSClient(ctx.Cli.Ecs.Profile.Port, ctx.Cli.Ecs.SecurityToken)
+	c := client.NewECSClient(ctx.Cli.Ecs.Profile.Port, ctx.Cli.Ecs.Profile.Auth)
 
 	profile, err := c.GetProfile()
 	if err != nil {
@@ -87,7 +92,7 @@ func (cc *EcsProfileCmd) Run(ctx *RunContext) error {
 }
 
 func (cc *EcsUnloadCmd) Run(ctx *RunContext) error {
-	c := client.NewECSClient(ctx.Cli.Ecs.Unload.Port, ctx.Cli.Ecs.SecurityToken)
+	c := client.NewECSClient(ctx.Cli.Ecs.Unload.Port, ctx.Cli.Ecs.Unload.Auth)
 
 	return c.Delete(ctx.Cli.Ecs.Unload.Profile)
 }
@@ -115,14 +120,14 @@ func ecsLoadCmd(ctx *RunContext, awssso *sso.AWSSSO, accountId int64, role strin
 	}
 
 	// do something
-	c := client.NewECSClient(ctx.Cli.Ecs.Load.Port, ctx.Cli.Ecs.SecurityToken)
+	c := client.NewECSClient(ctx.Cli.Ecs.Load.Port, ctx.Cli.Ecs.Load.Auth)
 
 	log.Debugf("%s", spew.Sdump(rFlat))
 	return c.SubmitCreds(creds, rFlat.Profile, ctx.Cli.Ecs.Load.Slotted)
 }
 
 func (cc *EcsListCmd) Run(ctx *RunContext) error {
-	c := client.NewECSClient(ctx.Cli.Ecs.Profile.Port, ctx.Cli.Ecs.SecurityToken)
+	c := client.NewECSClient(ctx.Cli.Ecs.Profile.Port, ctx.Cli.Ecs.List.Auth)
 
 	profiles, err := c.ListProfiles()
 	if err != nil {

cmd/aws-sso/ecs_cmd.go

@@ -22,6 +22,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"strings"
 
 	// "github.com/davecgh/go-spew/spew"
 	"github.com/synfinatic/aws-sso-cli/internal/ecs/server"
@@ -32,12 +33,12 @@ const (
 )
 
 type EcsCmd struct {
-	Run           EcsRunCmd     `kong:"cmd,help='Run the ECS Server'"`
-	List          EcsListCmd    `kong:"cmd,help='List profiles loaded in the ECS Server'"`
-	Load          EcsLoadCmd    `kong:"cmd,help='Load new IAM Role credentials into the ECS Server'"`
-	Unload        EcsUnloadCmd  `kong:"cmd,help='Unload the current IAM Role credentials from the ECS Server'"`
-	Profile       EcsProfileCmd `kong:"cmd,help='Get the current role profile name in the default slot'"`
-	SecurityToken string        `kong:"help='Security Token to use for authentication',env='AWS_CONTAINER_AUTHORIZATION_TOKEN'"`
+	Run         EcsRunCmd         `kong:"cmd,help='Run the ECS Server'"`
+	BearerToken EcsBearerTokenCmd `kong:"cmd,help='Configure the ECS Server bearer token'"`
+	List        EcsListCmd        `kong:"cmd,help='List profiles loaded in the ECS Server'"`
+	Load        EcsLoadCmd        `kong:"cmd,help='Load new IAM Role credentials into the ECS Server'"`
+	Unload      EcsUnloadCmd      `kong:"cmd,help='Unload the current IAM Role credentials from the ECS Server'"`
+	Profile     EcsProfileCmd     `kong:"cmd,help='Get the current role profile name in the default slot'"`
 }
 
 type EcsRunCmd struct {
@@ -49,9 +50,37 @@ func (cc *EcsRunCmd) Run(ctx *RunContext) error {
 	if err != nil {
 		return err
 	}
-	s, err := server.NewEcsServer(context.TODO(), ctx.Cli.Ecs.SecurityToken, l)
+
+	token, err := ctx.Store.GetEcsBearerToken()
+	if err != nil {
+		return err
+	}
+	if token == "" {
+		log.Warnf("No authentication token set, use 'aws-sso ecs bearer-token' to set one")
+	}
+
+	s, err := server.NewEcsServer(context.TODO(), token, l)
 	if err != nil {
 		return err
 	}
 	return s.Serve()
 }
+
+type EcsBearerTokenCmd struct {
+	Token  string `kong:"short=t,help='Bearer token value to use for ECS Server',xor='flag'"`
+	Delete bool   `kong:"short=d,help='Delete the current bearer token',xor='flag'"`
+}
+
+func (cc *EcsBearerTokenCmd) Run(ctx *RunContext) error {
+	// Store the token in the SecureStore
+	if ctx.Cli.Ecs.BearerToken.Delete {
+		return ctx.Store.DeleteEcsBearerToken()
+	}
+	if ctx.Cli.Ecs.BearerToken.Token == "" {
+		return fmt.Errorf("no token provided")
+	}
+	if !strings.HasPrefix(ctx.Cli.Ecs.BearerToken.Token, "Bearer ") {
+		return fmt.Errorf("token should start with 'Bearer '")
+	}
+	return ctx.Store.SaveEcsBearerToken(ctx.Cli.Ecs.BearerToken.Token)
+}

docs/remote-ssh.md

@@ -0,0 +1,49 @@
+# Using aws-sso on remote hosts with SSH
+
+This is intended to show how to use your `aws-sso` credentials on a remote/bastion
+host, without requring you to install or configure `aws-sso` on that host, while maintaining
+security.
+
+## Overview
+
+**Note:** Before going any further, this document assumes you have already
+[installed and configured](quickstart.md) aws-sso on your local system.
+If not, do that now. :)
+
+Accessing one or more AWS Identity Center based IAM Roles uses the [ECS Server](ecs-server.md)
+feature and then running the ECS Server locally and using ssh to forward the port to the remote
+host.  Security is provided via a bearer token you configure on each side and all traffic is
+encrypted over ssh.
+
+**Note:** The root user or anyone with [CAP_NET_RAW or CAP_NET_ADMIN](https://man7.org/linux/man-pages/man7/capabilities.7.html)
+will be able to intercept the HTTP traffic on the endpoint and obtain the bearer token
+and/or any IAM Credentials stored in the ECS Server.  As of this time, `aws-sso` does
+not support HTTPS for full end-to-end encryption.
+
+## On your local system
+
+1. Configure a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1)
+for security to prevent unauthorized use of your IAM credentials:
+`aws-sso ecs bearer-token -t 'Bearer <secret>`
+1. Start the ECS Server (preferably in a screen or tmux session):
+`aws-sso ecs run`
+1. Load your selected IAM credentials into the ECS Server:
+`aws-sso ecs load --profile=<aws profile name>`
+1. SSH to the remote system using the [-R flag to forward tcp/4144](https://man.openbsd.org/ssh#R):
+`ssh -R 4144:localhost:4144 <remotehost>`
+
+## On your remote system (once you have logged in as described above)
+
+1. Tell the AWS SDK how to talk to the ECS Server over SSH:
+`export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/`
+1. Tell the AWS SDK the bearer token secret from the first step on your local system:
+`export AWS_CONTAINER_AUTHORIZATION_TOKEN='Bearer <secret>`
+1. Verify everything works:
+`aws sts get-caller-identity`
+
+**Important:** You must choose a strong secret value for your bearer token secret!  This is
+what prevents anyone else from using your IAM credentials without your permission.  Your bearer
+token should be long and random enough to prevent bruteforce attacks.
+
+See the [ECS Server documentation](ecs-server.md) for more information about the ECS server and
+how to use multiple IAM role credentials simultaneously.

internal/storage/json_store.go

@@ -37,6 +37,7 @@ type JsonStore struct {
 	CreateTokenResponse map[string]CreateTokenResponse `json:"CreateTokenResponse,omitempty"`
 	RoleCredentials     map[string]RoleCredentials     `json:"RoleCredentials,omitempty"`   // ARN = key
 	StaticCredentials   map[string]StaticCredentials   `json:"StaticCredentials,omitempty"` // ARN = key
+	EcsBearerToken      string                         `json:"EcsBearerToken,omitempty"`
 }
 
 // OpenJsonStore opens our insecure JSON storage backend
@@ -48,13 +49,14 @@ func OpenJsonStore(filename string) (*JsonStore, error) {
 		CreateTokenResponse: map[string]CreateTokenResponse{},
 		RoleCredentials:     map[string]RoleCredentials{},
 		StaticCredentials:   map[string]StaticCredentials{},
+		EcsBearerToken:      "",
 	}
 
 	cacheBytes, err := os.ReadFile(filename)
 	if errors.Is(err, fs.ErrNotExist) {
 		return &cache, nil
 	} else if err != nil {
-		return &cache, fmt.Errorf("Unable to open %s: %s", filename, err.Error())
+		return &cache, fmt.Errorf("unable to open %s: %s", filename, err.Error())
 	}
 
 	if len(cacheBytes) > 0 {
@@ -184,3 +186,20 @@ func (jc *JsonStore) ListStaticCredentials() []string {
 	}
 	return ret
 }
+
+// SaveEcsBearerToken stores the token in the json file
+func (jc *JsonStore) SaveEcsBearerToken(token string) error {
+	jc.EcsBearerToken = token
+	return jc.save()
+}
+
+// GetEcsBearerToken retrieves the token from the json file
+func (jc *JsonStore) GetEcsBearerToken() (string, error) {
+	return jc.EcsBearerToken, nil
+}
+
+// DeleteEcsBearerToken deletes the token from the json file
+func (jc *JsonStore) DeleteEcsBearerToken() error {
+	jc.EcsBearerToken = ""
+	return jc.save()
+}

internal/storage/json_store_test.go

@@ -206,3 +206,25 @@ func (s *JsonStoreTestSuite) TestStaticCredentials() {
 	assert.NoError(t, s.json.GetStaticCredentials("arn:aws:iam::123456789012:user/foobar", &cr))
 	assert.Equal(t, cr2, cr)
 }
+
+func (s *JsonStoreTestSuite) TestEcsBearerToken() {
+	t := s.T()
+
+	token, err := s.json.GetEcsBearerToken()
+	assert.NoError(t, err)
+	assert.Empty(t, token)
+
+	err = s.json.SaveEcsBearerToken("not a real token")
+	assert.NoError(t, err)
+
+	token, err = s.json.GetEcsBearerToken()
+	assert.NoError(t, err)
+	assert.Equal(t, "not a real token", token)
+
+	err = s.json.DeleteEcsBearerToken()
+	assert.NoError(t, err)
+
+	token, err = s.json.GetEcsBearerToken()
+	assert.NoError(t, err)
+	assert.Empty(t, token)
+}