AWS/IAM – CLI :- Multi-Factor Authentication

Background

If you happen to secure AWS Resources with Multi-Factor authentication, and you are working within the Command Line Interface, you do have bit of jumping on a trampoline to do.

Outline

  1. Multi-Factor Device – Review Settings
    • Check MFA Status
      • Is it MFA hardware device or is it Virtual
    • Get Device’s ARN
  2. Get Current Identity
  3. Issue and capture of “aws sts get-session-token
  4. Set Environment Variables based on Session Token
  5. Issue and capture results of “aws sts assume-role”
  6. Set Environment Variables based on Assumed Role
  7. Attempt to access resource

Processing

Multi-Factor Device – Review Settings

Outline

  1. Access IAM Console ( Link )
  2. Search for user
    • Enter username
  3. Select sought user
  4. User Summary Screen comes up
  5. Access “Security Credentials” Tab
  6. The “Security Credentials” tab appears
    • Note the following
      • Assigned MFA Device
      • Assign MFA Type
        • Virtual in our case

Images

Search for user

IAM.Users.searchUser.20181115.0421PM.PNG

User Summary

IAM.Users.user.Summary.20181115.0423PM.PNG

User – Security Credentials

IAM.Users.user.SecurityCredentials.20181115.0426PM.PNG

Data Set
  1. Assigned MFA device
    • arn:aws:iam::[ID]:mfa/[account-id] (Virtual) | Manage
      • id
      • Virtual

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

sts.getCallerIdentity.20181120.0743PM

Output – Textual


>aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:iam::22:user/dadeniji"
}

Issue & Capture Output of “sts get-session-token

Outline

  1. Issue sts get-session-token
  2. Capture output

Code


setlocal

REM How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
REM https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

REM Assigned MFA device
REM Is it an MFA hardware device or is it Virtual
rem set _ARNUser = arn:aws:iam::userid:user/awsauth/dadeniji
set _userid=11101
set _ARNmfa=arn:aws:iam::%_userid%:mfa/dadeniji

set _durationInSeconds=129600

REM **********************************************************************************
REAM Read token from device -- cellphone etc
REM **********************************************************************************
set _codeFromToken=506694

rem aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

aws sts get-session-token --serial-number %_ARNmfa% --duration-seconds %_durationInSeconds% --token-code %_codeFromToken% 

endlocal

Output

sts.get-session-token.20181115.0439PM.PNG

Explanation

Please capture the output :-

  1. Credentials
    • AccessKeyId
    • SecretAccessKey
    • SessionToken

Set Session Token – Self

Outline

  1. Set Environment Variables for Self Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Assume Role

Outline

  1. aws sts assume-role

Code

Syntax


aws sts assume-role --role-arn=[iam-role] --role-session-name [rolename]

Sample


setlocal

set "_IAMrole=arn:aws:iam::061711:role/housekeeper"
set "_rolename=housekeeper"

aws sts assume-role --role-arn=%_IAMrole% --role-session-name %_rolename%

endlocal

Output

image_assumeRole.01.20181120.0548PM

 

 

Set Session Token – Assumed Role

Outline

  1. Set Environment Variables for Role Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

image_getCallerIdentity.AssumeRole.Post.01.brushedup.20181120.0552PM.png

Output – Textual


aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:sts::22:assumed-role/dba"
}

Access Resource

Outline

  1. Access Resource
    • Access S3 bucket
    • Access RDS DB Resource

Sample

Sample – S3 Bucket

Code
aws s3 ls --profile savanna

Output

request.S3.20181115.0452PM.PNG

 

References

  1. Amazon
    • AWS
      • CLI
        • MFA
          • How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
            Link
      • Directory Services
        • To establish a trust relationship for an existing role to AWS Directory Service
          Link
      • Granting a User Permissions to Switch Roles
        • id_roles_use_permissions-to-switchLink

AWS – Identity and Access Management ( IAM ) – Switching Roles

Background

To better safe ground the system, it is best not to grant sensitive permissions to user accounts.  And, only grant those permissions to roles.  Users can then be granted membership to the roles.

To perform those sensitive actions, users will have to switch over to the provisioned roles.  Perform the actions. And, revert to their user account.

Administrative Function

The system administrator will have to do the following :-

  1. Role
    • Create
      • Create Role
  2. Permissions
    • Grant
      • Grant permissions to Role
  3. Membership
    • Add principals to the Role
  4. Relationship
    • Trust Relationship
      • The role must have a trust relationship with the source profile to allow itself to be assumed.
    • Assume Role
      • Grant Principals permission to assume the role
      • The source profile must have permission to call sts:assume-role against the role

Sample Policies

AWS ( AWS Documentation » AWS Command Line Interface » User Guide » Configuring the AWS CLI » Assuming a Role ) has a good write-up here.

Role – Trust Relationship with User

sts.AssumeRole.20181110.0242PM

User – Permission to Assume Role

sts.AssumeRole.iamUserPermission.20181110.0249PM.PNG

GUI

Outline

  1. Access Switch Role ( Link )
  2. Enter Role’s Information
    • account_id_number–The 12-digit account identifier provided to you by your administrator.
    • role_name–The name of the role that you want to assume.
    • (Optional) text_to_display–The text that you want to appear on the navigation bar in place of your user name when this role is active.
    • Click on the “Switch Role” button
  3. Perform the activities that need the elevated permissions
  4. Revert from role to self

Images

Switch Role

role.SwitchRole.20181110.0452PM

Switched Role

role.Switched.20181110.0451PM.PNG

Command Line Interface ( CLI )

Client Preparation

Let us go over what it takes to prepare a client

Outline

  1. Configure Client’s Credential
  2. Configure Role via Profile Registration

Configure Client’s Credential

Upon installing AWS’s Command Line Interface, one needs to register his\her credentials.

This is done via launching a terminal or command console and issuing the register command.

Validate

Please validate whether you have already done so.

One pathway is through looking for the configure file.

Its location is OS Specific:

  1. Windows
    • Syntax :- C:\Users\[username]\.aws\credentials
    • Sample :- C:\Users\dadeniji\.aws\credentials
Syntax

aws configure

Steps

Please fill out the details such as :-

  1. AWS Access Key ID
  2. AWS Secret Access Key
  3. Default Region Name
  4. Default output format
Output

aws.configuration.20181109.1117AM.cleanedup.PNG

Effect

Once done the entries are saved in the credentials file.

  1. OS
    • Windows
      • Syntax :- C:\Users\[username]\.aws\credentials
      • Sample :- C:\Users\dadeniji\.aws\credentials

Configure Role via Profile Registration

Next create \ edit the configure file.

File Location

It’s location is OS Specific:

  1. Windows
    • Syntax :- C:\Users\[username]\.aws\configue
    • Sample :- C:\Users\dadeniji\.aws\configure
Nomenclature
  1. account_id_number
    • The 12-digit account identifier provided to you by your administrator
  2. role_name
    • The name of the role that you want to assume. You can get this from the end of the role’s ARN.
      • If the ARN is arn:aws:iam::403299380220:role/TestRole
        • The role’s name is TestRole
          • As role does not have a path
      • If the ARN is arn:aws:iam::403299380220:role/restaurant/TestRole
        • The role’s name is /restaurant/TestRole
          • As role has a path ( restaurant )
Syntax
[default]

[profile dba]
role_arn = arn:aws:iam::[account-id]:role/[role-name]
source_profile = default
region=[region]

Sample
[default]

[profile dba]
role_arn = arn:aws:iam::0611271771:role/dba
source_profile = default
region=us-west-2

Request

Let us request role processing

Outline

  1. Interactively
  2. Ongoing

Interactive

Overview

We are able to request role switching on each command that needs the designated privileges.

Sample Requests
  1. List IAM Users
    • aws iam list-users –profile adminMarketing
  2. List RDS Instances
    • aws rds describe-db-instances –profile adminMarketing
Actual Request ( as current user )

aws s3 ls

Textual

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Image

withSwitchRoleRequestedInteractively.20181110.0400PM

Actual Request – Assume Role

aws s3 ls --profile dba

Textual

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Image

withSwitchRoleRequestedInteractively.20181110.0400PM

Textual

Unable to assume role.

Actual Request – Assume Role in debug mode

aws s3 ls --profile dba --debug

Textual

    return self._get_cached_credentials()
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\credentials.py", line 698, in _get_credentials
    return client.assume_role(**kwargs)
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\client.py", line 623, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
2018-11-10 14:31:35,342 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
Image

withSwitchRoleRequestedInteractivelyInDebugMode.20181110.0443PM

Textual
  1. Stack Trace that shows the functions called
  2. Return Code ( rc ) is 255

Summary

Will have to work with our AWS Administrators and review the permissions we have on the role.

I need to have the ability to assume the role.

Again, the specific areas that need scrutiny are:

  1. The role must have a trust relationship with the source profile to allow itself to be assumed
  2. And, each of us must have permission to call sts:assume-role against the role

 

AWS/CLI – AWS Identity and Access Management (IAM) – Basic Commands

 

What is ” Identity and Access Management (IAM)” ?

AWS Identity and Access Management (IAM) is a web service that you can use to manage users and user permissions under your AWS account.

Commands

Full

The current list of all IAM Commands is available here.

Covered

Here are the ones we will cover :-

Command Explanation Link
get-account-password-policy Retrieves the password policy for the AWS account. Link
get-group Returns a list of IAM users that are in the specified IAM group Link
get-role
Retrieves information about the specified role, including the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role.
Link
get-user Retrieves information about the specified IAM user, including the user’s creation date, path, unique ID, and ARN.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID used to sign the request to this API.

Link
list-groups Lists the IAM groups that have the specified path prefix. Link
list-groups-for-user Lists the IAM groups that the specified IAM user belongs to. Link
list-group-policies Lists the names of the inline policies that are embedded in the specified IAM group. Link
list-roles Lists the IAM roles that have the specified path prefix. Link
list-users Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account. If there are none, the operation returns an empty list. Link

get-account-password-policy

Link

  1. Link
    Link

Syntax

get-account-password-policy

Sample

get-account-password-policy

Output

get-account-password-policy.20181109.0726PM

Explanation

  1. Policy
    • MinimumPasswordLength :- 8
    • RequireSymbols :- true
    • RequireNumbers :- true
    • RequireUppercaseCharacters :- true
    • RequireLowercaseCharacters :- true
    • ExpirePasswords :- true
    • MaxPasswordAge :- 180
      • Passwords have to be changed within 6 months
    • PasswordReusePrevention :- 6
      • Specifies the number of previous passwords that IAM users are prevented from reusing.

get-group

Link

  1. Link
    Link

Syntax

aws iam get-group --group-name [group-name]

Sample

aws iam get-group --group-name dba

Output

get-group.20181109.0739PM

Explanation

  1. Group Members are listed
  2. Group’s full path, Group Name, Group ID, and Arn

get-role

Link

  1. Link
    Link

Syntax

aws iam get-role --role-name [role-name]

Sample

aws iam get-role --role-name prod

Output

Output – Image

get-role.20181120.0405PM

Output – Textual


An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:iam::229191711:user/dadeniji is not authorized to perform: iam:GetRole on resource: role prod

Explanation

  1. Retrieves information about the specified role, including the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role.

get-user

Link

  1. Link
    Link

get-user ( Self )

Syntax

aws iam get-user

Sample

aws iam get-user

Output

Output – Image

get-user.20181110.0713PM.PNG

Output – Textual

An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::2291711919:user/dadeniji is not authorized to perform: iam:GetUser on resource: user dadeniji

get-user ( Specified User )

Syntax

aws iam get-user --username [username]

Sample

aws iam get-user --username dadeniji

Output

Output – Image

get-user.20181120.0211PM.PNG

Output – Textual

An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::2291711919:user/dadeniji is not authorized to perform: iam:GetUser on resource: user dadeniji

Explanation

  1. List User’s information

list-groups

Link

  1. Link
    Link

Syntax

aws iam list-groups

Sample

aws iam list-groups

Output

list-groups.20181110.0744AM.PNG

Explanation

  1. List groups

list-groups-for-user

Link

  1. Link
    Link

Syntax

aws iam list-groups-for-user [username]

Sample

aws iam list-groups-for-user --user-name dadeniji

Output

list-groups-for-users.20181110.0719AM.PNG

Explanation

  1. List User’s Group

list-group-policies

Link

  1. Link
    Link

Syntax

aws iam list-group-policies --group-name [group-name]

Sample

aws iam list-group-policies --group-name dba

Output

list-group-policies.20181109.0749PM.PNG

Explanation

  1. List policies granted to the specified group

list-roles

Link

  1. Link
    Link

Syntax

aws iam list-roles

Sample

aws iam list-roles --path-prefix /aws

Output

Output – Textual


An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:iam::22:user/awsauth/dadeniji is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::22:role/aws/

Output – Image

list-roles.20181110.1152AM.PNG

Explanation

  1. Permission denied
    • In our case we do not have permissions to list roles

list-users

Link

  1. Link
    Link

Syntax

aws iam list-users

Sample

aws iam list-users

Output

list-users.20181110.0729AM.PNG

Explanation

  1. List Users
    • Path
    • UserName
    • UserId
    • Arn
    • CreateDate
    • PasswordLastUsed

AWS / Identity Access Management ( IAM ) – List user’s roles

Background

Having problems switching roles.

Let us review the list of roles that my principal has access to.

Command Line Interface ( CLI )

Command

Syntax

aws iam list-roles

Sample

aws iam list-roles

Output

Output – An error occurred (AccessDenied) when calling the ListRoles operation

Text


Unable to locate credentials. You can configure credentials by running "aws configure".

Image

aws.iam.listRoles.20181109.1114AM.PNG

Explanation

Please register your account on current computer.

Issue “aws configure” :-

aws.configuration.20181109.1117AM.cleanedup.PNG

 

Output – An error occurred (AccessDenied) when calling the ListRoles operation

Text


An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:iam::[x1]:user/awsauth/dadeniji is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::x1:role/

Image

aws.iam.listRoles.20181109.1118AM.PNG

Explanation

Insufficient permissions to list roles.

Browser

Please launch a web browser and access the URL https://console.aws.amazon.com/iam/home#/roles.

aws.roles.browser.20181109.1140AM.PNG

 

Summary

Need to work with our Administrators and make sure that I have sufficient permissions to list our roles.

 

AWS – Access Key & Security Key

 

Background

As the AWS Ecosystem continues to grow it’s security authentication mechanisms continues to swell, as well.

 

Our Instance

Unfortunately various services need various authentication pathways.

For instance, own own implementation requires:

  1. User credentials
    • Multi-factor Authentication
  2. IAM Roles

 

Need

Here I am trying to use a tool and it is asking me for the “AWS access key” and “AWS secret key

app_AccessKey_20180606_0729PM [brushedup].png

 

Process

To review or get a new Access Key and Security key, please do the following:

Outline

  1. Launch browser
  2. Connect to IAM
    • Generic
      • IAM Home Page
        Link
    • Region
      • Region :- US West
        Link
  3. Click on the Users hyperlink
    • In case, you do not see your users
      • Please make sure that you are in right Region
      • Also make sure that you are not switched into Role
  4. Access the “Security Credentials” tab
  5. Review the listed “Access Keys
    • In my case did not have Access Keys listed
  6. Created Accessed Key
    • Clicked on the “Create Access key” button
    • Access Keys was generated
      • Noted the Access Key ID & Secret Access Key
      • Downloaded the csv file which contains the generate Key

 

Screen Shot

IAM Management Console

Welcome

welcome_20180606_0748PM.png

Users ( Switched to role )

users_role_20180606_1100PM [brushedup].png

Users ( As Self )

users_user_20180607_0914AM.png

Users – [Username] – Security Credentials

SignInCredentials_AccessKeys_20180606_0333PM.png

Create(d) access key

CreateAccessKey_20180606 (brushedup).png

 

Crediting

Crediting BitTitan …

BitTitan :- How do I get an access key for Amazon S3?
Link