stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a workload identity issued by another cloud provider.

stratus

stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a workload identity issued by another cloud provider. This enables workloads to cross cloud boundaries without having to rely on on application-local static credentials or single factor access tokens.

stratus effectively extends the cloud provider's IAM API to enable workloads to retrieve short-lived identity tokens from a remote cloud provider using their workload identity in thier current provider, without either cloud provider seeing the other's workload identity.

stratus flow

Supported Clouds

AWS

Both AWS IAM Service Accounts (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) and AWS STS sessions (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) are supported.

When access keys are provided, stratus will validate the arn identity of the caller.

When session tokens are provided, stratus will validate the assumed arn identity of the caller.

GCP

GCP Service Accounts are supported. When a GCP service account is provided, stratus will validate the service account private key against GCP's public key for the account, and will validate the identity matches the identity of the caller.

K8S

Kubernetes Service Accounts are supported. When a Kubernetes service account is provided, stratus will validate the service account token against the Kubernetes API server. Stratus must have a service account token to validate the identity of the caller. The Kubernetes API server must be accessible from the stratus environment.

Identity Mapping Configuration

All configuration is managed through version controlled configuration files in a dedicated stratus-config repo.

An example config block is:

- source:
    id: "[email protected]"
    provider: "gcp"
    region: "us-central1"
  target:
    id: "arn:aws:iam::xxxxxxxx:role/stratus-example"
    provider: "aws"
    region: us-east-1

This defines a workload in GCP (source.provider) with the identity source.id and a target workload in AWS (target.provider) with the identity target.id.

Client Usage

Below is an example of a client running in GCP exchanging their service account for an AWS IAM token.

# call stratus, passing in your source provider and credentials, and the target provider and identity
AWS_IDENTITY=`curl https://stratus/ -d '
{
	"source": {
		"id": "[email protected]",
		"provider": "gcp",
		"region": "us-central1",
		"credentials": {...},
	"target": {
		"id": "arn:aws:iam::xxxxxxxx:role/stratus-example",
		"provider": "aws",
		"region": "us-east-1"
	}
}
'`
# export the session token to use in cli / SDK calls. Can also be passed in to SDK credentials.Credentials config.
export AWS_ACCESS_KEY_ID=$(echo $AWS_IDENTITY | jq -r ".AccessKeyId")
export AWS_SECRET_ACCESS_KEY=$(echo $AWS_IDENTITY | jq -r ".SecretAccessKey")
export AWS_SESSION_TOKEN=$(echo $AWS_IDENTITY | jq -r ".SessionToken")

# confirm you now have an AWS session
aws sts get-caller-identity

stratus Request

As seen in the example above, a stratus request contains two objects, source and target. The source object contains the identity of the workload issuing the request, and the target object contains the identity in the remote cloud you would like to assume. This matches the yaml config struct above.

The source.credentials field is a map[string]interface{} that contains the credentials from the cloud provider. In GCP, this is the JSON key file.

In AWS, this is the Credentials object returned by AWS when you assume an IAM role:

{
    "AccessKeyId": "string",
    "SecretAccessKey": "string",
    "SessionToken": "string",
    "Expiration": "time.Time"
}

In GCP, this is the ServiceAccount JSON object:

{
    "type": "service_account",
    "project_id": "string",
    "private_key_id": "string",
    "private_key": "string",
    "client_email": "string",
    "client_id": "string",
    "auth_uri": "string",
    "token_uri": "string",
    "auth_provider_x509_cert_url": "string",
    "client_x509_cert_url": "string"
}

In K8S, this is the ServiceAccount JWT token:

{
    "jwt": "string"
}

stratus Response

On a successful identity exchange, stratus will reply with a HTTP 200 and JSON object containing the identity of the remote workload, matching the request object schema above. On any failure, stratus will reply with HTTP 401. stratus logs auth errors internally but does not propagate auth errors to the caller for increased opsec. Stratus propagates the request ID back to the client as x-request-id for correlation and tracing.

stratus Priviledges

For AWS access, stratus will only ever return a single STS session token from an assumed role. The IAM role associated with stratus will need to be granted sts:AssumeRole on the target AWS IAM role, and the policy attached to stratus' IAM role must allow the sts:AssumeRole action. For each token, stratus will propagate a unique request ID which is associated with the session in AWS IAM and CloudTrail to correlate the session with the request in CloudTrail and logs.

GCP's concept of workload identity is still alpha (we are investigating potential integration options), however GCP has a longstanding standard of x509 public/private key pairs for workloads. As these are delivered client-side by GCP, stratus stores these encrypted at rest and in transit with HashiCorp Vault. When a new GCP Service Account is onboarded to stratus, it must be stored in Vault so that stratus can access it. As keys are stored in the central Vault, if a key needs to be rotated, it can be rotated in Vault and the new key will be propagated to all workloads.

In K8S, stratus requires access to validate tokens against the API server. This means stratus requires a service account in the cluster, and requires netpath access to the API server. See docs/k8s for more.

Security Considerations

As an identity broker, stratus has access to all supported clouds, which is required to support the cross-cloud identity exchange. stratus has the ability to assume any supported target identity.

stratus ensures identity security by validating the identity of the caller against the respective cloud provider's identity API directly, and then validating the caller's identity (as returned by the cloud provider) matches a configured identity in the stratus config. This ensures that the caller is the owner of the workload identity as verified by the cloud provider, and that the caller has the right to assume an identity through stratus. Only then will stratus return a valid identity token to the caller. For AWS target identities, stratus will return a short-term (15 minute) session token. For GCP and K8S target identities, stratus will return a Service Account key that will be valid for the life of the key in GCP or K8S. When the key is rotated in the provider and Vault, the updated key will be propagated to the caller on the next token exchange.

Owner
robert lestak
cloud architect. automate everything.
robert lestak
Similar Resources

Bark is an iOS App which allows you to push customed notifications to your iPhone.

Bark is an iOS App which allows you to push customed notifications to your iPhone.

Bark is an iOS App which allows you to push customed notifications to your iPhone.

Jan 3, 2023

⚡ HTTP/2 Apple Push Notification Service (APNs) push provider for Go — Send push notifications to iOS, tvOS, Safari and OSX apps, using the APNs HTTP/2 protocol.

APNS/2 APNS/2 is a go package designed for simple, flexible and fast Apple Push Notifications on iOS, OSX and Safari using the new HTTP/2 Push provide

Jan 1, 2023

Golang client for NATS, the cloud native messaging system.

NATS - Go Client A Go client for the NATS messaging system. Installation # Go client go get github.com/nats-io/nats.go/ # Server go get github.com/na

Jan 5, 2023

High-Performance server for NATS, the cloud native messaging system.

High-Performance server for NATS, the cloud native messaging system.

NATS is a simple, secure and performant communications system for digital systems, services and devices. NATS is part of the Cloud Native Computing Fo

Jan 2, 2023

Kafka implemented in Golang with built-in coordination (No ZooKeeper, single binary install, Cloud Native)

Jocko Distributed commit log service in Go that is wire compatible with Kafka. Created by @travisjeffery, continued by nash. Goals: Protocol compatibl

Aug 9, 2021

Queue with NATS Jetstream to remove all the erlangs from cloud

Saf in Persian means Queue. One of the problems, that we face on projects with queues is deploying RabbitMQ on the cloud which brings us many challenges for CPU load, etc. I want to see how NATS with Jetstream can work as the queue to replace RabbitMQ.

Dec 15, 2022

CLI tool for generating random messages with rules & publishing to the cloud services (SQS,SNS,PUB/SUB and etc.)

Randomsg A CLI tool to generate random messages and publish to cloud services like (SQS,SNS,PUB/SUB and etc.). TODO Generation of nested objects is no

Sep 22, 2022

Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions

Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions

Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions This tutorial and code samples cover how customers that use Workload i

Dec 3, 2022

Alertmanager go message broker - A simple message broker made to integrate with alertmanager/prometheus

Alertmanager message broker Prerequisites Go 1.16+ Sqllite driver About: The alertmanager message broker is a project made to meet some of my needs to

Dec 27, 2021

Stratus-red-team - Granular, Actionable Adversary Emulation for the Cloud

Stratus-red-team - Granular, Actionable Adversary Emulation for the Cloud

Stratus Red team Stratus Red Team is "Atomic Red Team™" for the cloud, allowing

Jan 7, 2023

Tool to summarize and report large exchange inflows, exchange outflows, mints, and burns.

What this is Tool to summarize and report large exchange inflows, exchange outflows, mints, and burns. Data is sourced from whale-alert and reported v

Nov 11, 2022

Tradingview-2-exchange - Place buy/sell orders in exchange(binance) when trading view strategy raise alert message

TradingView-2-Exchange This application is used to place a buy/sell order in Bin

Sep 27, 2022

This project provides fully automated one-click experience to create Cloud and Kubernetes environment to run Data Analytics workload like Apache Spark.

This project provides fully automated one-click experience to create Cloud and Kubernetes environment to run Data Analytics workload like Apache Spark.

Introduction This project provides a fully automated one-click tool to create Data Analytics platform in Cloud and Kubernetes environment: Single scri

Nov 25, 2022

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload. Run tools like masscan, puredns, ffuf, httpx or anything you need and get results quickly!

Jan 6, 2023

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload. Run tools like masscan, puredns, ffuf, httpx or a

Dec 31, 2022

Identity-service - An OAuth2 identity provider that operates over gRPC

Identity-service - An OAuth2 identity provider that operates over gRPC

May 2, 2022

Identity - An OAuth2 identity provider that operates over gRPC

Otter Social Identity Provider An OAuth2 identity provider that operates over

May 2, 2022

Simple, fast and safe cross-platform linear binary stream communication protocol. AES key exchange based on ecc secp256k1

FFAX Protocol 2 dev 简体中文 Welcome to FFAX Protocol v2 Quick start go get github.com/RealFax/FFAX func example() { listener, err := net.Listen("tcp",

Mar 21, 2022

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Dec 26, 2022
Related tags
Tool for collect statistics from AMQP (RabbitMQ) broker. Good for cloud native service calculation.

amqp-statisticator Tool for collect statistics around your AMQP broker. For example RabbitMQ expose a lot information trought the management API, but

Dec 13, 2021
ChanBroker, a Broker for goroutine, is simliar to kafka

Introduction chanbroker, a Broker for goroutine, is simliar to kafka In chanbroker has three types of goroutine: Producer Consumer(Subscriber) Broker

Aug 12, 2021
Simple, high-performance event streaming broker

Styx Styx is a simple and high-performance event streaming broker. It aims to provide teams of all sizes with a simple to operate, disk-persisted publ

Nov 24, 2022
Distributed Lab 3: Message Broker in Go
Distributed Lab 3: Message Broker in Go

Distributed Lab 3: Message Broker in Go Using the lab sheet There are two ways to use the lab sheet, you can either: create a new repo from this templ

Oct 29, 2021
KubeMQ is a Kubernetes native message queue broker

KubeMQ Community is the open-source version of KubeMQ, the Kubernetes native message broker. More about KubeMQ

Nov 20, 2021
Fetch gas stations prices from Tankerkönig api with Orion Context Broker persistence

tankerkoenig-fuel-machinery - Fetch gas stations from tankerkoenig api and persist them into an Orion Context Broker Scope This project aims to fetch

Feb 14, 2022
go broker interface,you can use kafka,redis,pulsar etc.

broker go broker interface,you can use kafka,redis,pulsar etc. pulsar in docker run pulsar in docker docker run -dit \ --name pulsar-sever \ -p 6650:

Sep 8, 2022
Transpiled version of the CCXT exchange library to Go (Golang)

CCXT Go Transpiled CCXT exchange library from their original JavaScript source to Go (Golang). Features support 100+ cryptocurrency exchanges with a u

Oct 1, 2022
provider-kafka is a Crossplane Provider that is used to manage Kafka resources.

provider-kafka provider-kafka is a Crossplane Provider that is used to manage Kafka resources. Usage Create a provider secret containing a json like t

Oct 29, 2022
ntfy is a super simple pub-sub notification service. It allows you to send desktop notifications via scripts.

ntfy ntfy (pronounce: notify) is a super simple pub-sub notification service. It allows you to send desktop and (soon) phone notifications via scripts

Jan 9, 2023