aws credential solution by Golang

goCred

Aws credential solution by Golang (Works on Linux, Arm, and Windows)

v0.3

  • Detection of unauthorized access
    • Locks access in case of repeated unauthorized access.
  • Added the ability to specify which IPs can connect
    • Allow by IP address
  • SALT can now be used as a token
    • Handling credentials more securely with SALT

Solution

Is your team managing AWS credentials properly?
Are you useing out credentials with strong permissions in perpetuity for reasons such as the hassle of renewal? Are you treating credentials the same way you treat old password?

This tool will provide strong privileges to development users without the need to create credentials!

Feature

This is a solution that automatically renews of credentials in AWS CloudShell at each deadline through a relay server.

In CloudShell, credentials similar to account privileges can be obtained in the following way.

curl -H"Authorization: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI

This tool prepares a proxy and delivers the same credentials to the client. The benefits of this are as follows

  • No need to create authoritative credentials.
  • No more accidents due to failure to update credentials that have been created.

Architecture

SSL & AES encrypted Credential by Token
_____________         __________         ___________
|Server mode | ----> |Proxy mode| <---- |Client mode|
-------------         ----------         -----------
|Cloudshell  |       Tokenized Data     SSL & Dencrypt by Token
-------------
  1. Server mode

Get the credentials from AWS CloudShell, encrypt them with a token, and then forward them to the Proxy server.

  1. Proxy mode

Save the token for each token word.

note) Since the proxy server needs to be accessed by both the server and the client networks, the credentials are stored in encrypted form. Even if the string is compromised, it cannot be compounded without knowing the token.

  1. Client mode

Decrypted the string retrieved from the Proxy with a token.

2
When Expiration expires, the server sends the update information to Proxy and the client gets the update, too.

installation

If you want to put it under the path, you can use the following.

go get github.com/yasutakatou/goCred

If you want to create a binary and copy it yourself, use the following.

git clone https://github.com/yasutakatou/goCred
cd goCred
go build .

or download binary from release page. save binary file, copy to entryed execute path directory.

Usage

note) prepare cert file beforehand. (use mkcert and such more)

  • Access AWS Management Console and CloudShell
  • Put binary on CloudShell

1

or download binary

curl -OL https://github.com/yasutakatou/goCred/releases/download/XXX/goCred_linux_amd64.zip
unzip goCred_linux_amd64.zip
chmod 755 goCred

note) The XXX part should be the latest version.

  • Run Proxy

3

note) The Proxy should be launched on a network that is accessible to both Sever and Client.

  • Run Server on CloudShell

5

In CloudShell, launch Server mode towards the Proxy. Specify the IP and port in the red area.

  • Run Client

6

On the PC where you want to obtain the credentials, start communication to the Proxy in Client mode.

note) Specify the IP and port in the red area.

7

options

Usage of goCred.exe:
  -allow string
        [-allow=Allow IPs (Split ",", Default is allow accept.)]
  -cert string
        [-cert=ssl_certificate file path] (default "localhost.pem")
  -client
        [-client=Client mode (true is enable)]
  -cloudshell string
        [-cloudshell=AWS Cloudshell window titile] (default "CloudShell")
  -count int
        [-count=operating interval ] (default 60)
  -debug
        [-debug=debug mode (true is enable)]
  -filterCount int
        [-filterCount=allow connect retrys.] (default 3)
  -key string
        [-key=ssl_certificate_key file path] (default "localhost-key.pem")
  -log
        [-log=logging mode (true is enable)]
  -port string
        [-prort=Port Number (Use Proxy mode)] (default "8080")
  -proxy
        [-proxy=Proxy mode (true is enable)]
  -rpa
        [-rpa=CloudShell timeout guard (true is enable)] (default true)
  -salt
        [-salt=salt token mode (true is enable)]
  -server
        [-server=Server mode (true is enable)]
  -token string
        [-token=authentication token (if this value is null, is set random)]
  -try int
        [-try=error and try counter] (default 100)
  -wait int
        [-wait=loop wait Millisecond] (default 250)

-allow string (from v0.3)

Specifies the string contained in the IP address to be allowed to connect.

$ ./goCred -proxy -port=8080 -allow=172.18.,172.19.,172.20.

Clients that do not allow it will exit as follows

Token error: error 192.168.0.1:51240: not allow!

note) You can specify multiple items separated by commas ",".

-cert string

ssl_certificate file path (if you don't use https, haven't to use this option)

-client

This is the client mode to get the token from the proxy.
You need to specify the address of the proxy server where you want to get the token.

6

note) Specify the IP and port in the red area.

-cloudshell string

This is the title of the CloudShell window that will be operated periodically when rpa is enabled.

-count int

This is the setting for how many seconds to check.

-debug

debug mode (true is enable)

-filterCount int (from v0.3)

Counts connections that are not allowed or have the wrong token when the "allow" option is enabled.
If the specified number of times is exceeded, the connection will be blocked.

$ ./goCred -proxy -port=8080 -filterCount=3

Clients that do not allow it will exit as follows

$ ./goCred -client -token=wrongToken 192.168.0.1:8080
OS: Linux
Token error: error token invalid
exit status 1
$ ./goCred -client -token=wrongToken 192.168.0.1:8080
OS: Linux
Token error: error 192.168.0.1:51150: over retrys
exit status 1
$ ./goCred -client -token=trueToken 192.168.0.1:8080
OS: Linux
Token error: error 192.168.0.1:51150: over retrys

note) Once blocked, it will continue to block until the process is restarted.

-key string

ssl_certificate_key file path (if you don't use https, haven't to use this option)

-log

Specify the log file name.

-port string

port number

-proxy

Start in proxy mode and wait for server mode and client mode to connect.

note) You don't need to specify the IP as it will be listened to.

-rpa

CloudShell is times out if no operation continues. With this option, you can avoid timeouts by periodically typing ENTER into Browser

note) If you don't use this feature, the default timeout will be 20 minutes.
note) For now, only Windows OS is supported.
note) A window showing CloudShell in a browser is required.

image
note) When starting in this mode, it is more stable to click once on the CloudShell browser.

-salt

Encrypting credentials with SALT when they are updated prevents the token from being parsed.
Please enable the salt option in all modes.

$ ./goCred -proxy -port=8080 -salt

$ ./goCred -server -token=test -salt 10.0.0.1:8080

$ ./goCred -client -token=test -salt 192.168.0.1:8080

note) At first the credentials without SALT are encrypted, then they are encrypted. This means that the client must be connected before the next credential update or it will not be able to be compounded.

-server

This is the mode to transfer token from CloudShell to Proxy server.

5

In CloudShell, launch Server mode towards the Proxy. Specify the IP and port in the red area.

-token string

authentication token (if this value is null, is set random)

-try int

error and try counter
In case of wait next screen a while, set value larger.

-wait int

loop wait Millisecond

license

3-clause BSD License

Owner
I'm Cynops pyrrhogaster in japan, weak, sturdy, omnivorous animal. I favor to eat golang, python and javascript etc...
null
Similar Resources

Aws-parameter-bulk - Export AWS SSM Parameter Store values in bulk to .env files

aws-parameter-bulk Utility to read parameters from AWS Systems Manager (SSM) Par

Oct 18, 2022

Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin Background The current HashiCorp Vault AWS Secret Engine curr

Feb 7, 2022

Aws-cognito-demo-go - Source code for AWS Cognito in Go

AWS Cognito Demo in Go Source code for YouTube series, AWS Cognito in Go - https

Dec 10, 2022

Authorization can be hard, and this project aims to be simple solution to general authz problems.

racl (rest access control lists) Motivation Authorization can be hard, and this project aims to be simple solution to general authz problems. Mainly,

Nov 9, 2021

Dynamodb-expire-non-latest - Dynamodb spike to find best solution to set expire on old records

Goal, expire non-latest records User (identified by IP address), adds record A,

Jan 5, 2022

Gophercises-quiz-one - Working solution of Gophercises Quiz 1 Course

Gophercises Quiz 1 Working Solution Description Create a program that will read

Feb 2, 2022

This repository shows how can we use `AWS Lambda` to build serverless applications in golang.

Serverless Api in Go with AWS Lambda Here we are going to use AWS Lambda to build serverless applications in golang. Prerequisites You’ll need an AWS

Nov 3, 2021

Pre-constructed source for CDKTF AWS Golang

cdktf-provider-aws-go Terraform CDK aws Provider v3.64.2 go get github.com/hortau/cdktf-provider-aws-go Example: package main import ( "github.com/

Nov 27, 2021

Golang database/sql driver for AWS Athena

go-athena go-athena is a simple Golang database/sql driver for Amazon Athena. import ( "database/sql" _ "github.com/akrennmair/go-athena" ) f

Nov 18, 2022
⚛️ aws credential setup tool ⚛️

awscreds What is awscreds? awscreds is CLI tool to setup aws credentials with MFA device. Requirement go 1.17.x or earlier Installation go install git

Dec 9, 2021
Self-service account creation and credential reset for FreeIPA
Self-service account creation and credential reset for FreeIPA

Auri Auri stands for: Automated User Registration IPA Auri implements self service account creation and reset of credentials for FreeIPA Features Requ

Dec 21, 2022
csg ("Credential Storage with Go") - a tool to organize the storage of credentials found during a CTF or Pentest.
csg (

csg csg ("Credential Storage with Go") - a tool to organize the storage of credentials found during a CTF or Pentest. Check out my blog on csg for mor

Dec 9, 2021
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Nov 4, 2022
A package for access aws service using AWS SDK for Golang

goaws ?? A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Nov 25, 2021
Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

May 7, 2022
Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

Nov 24, 2022
Integrate AWS EKS Anywhere cluster with AWS Services
 Integrate AWS EKS Anywhere cluster with AWS Services

This article provides step-by-step instruction on integrating AWS EKS Anywhere with AWS Services so the applications running on customer data center can securely connect with these services.

Mar 6, 2022
Apis para la administracion de notifiaciones, utilizando servicios como AWS SNS y AWS SQS

notificacion_api Servicio para envío de notificaciónes por difusión en AWS SNS Especificaciones Técnicas Tecnologías Implementadas y Versiones Golang

Jan 7, 2022
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Aug 17, 2022