/boggart

Simple AWS identity broker for exchanging SSH identities for IAM temporary credentials

Primary LanguageGoMIT LicenseMIT

Boggart

Boggart is a simple AWS identity broker that allows microservices to exchange their SSH identities for AWS temporary credentials.

Why Boggart?

Boggart is here to solve problems related to managing AWS account credentials across multiple microservices and/or hosts and/or containers.

  • Instead of each microservice needing its own AWS user, there is only one user for Boggart
  • Only one long-lived AWS credential to store and secure; microservice use short-lived credentials
  • Microservices can only access AWS roles with minimum privilege, reducing impact of compromise

Usage

$ docker run -d -v /etc/boggart/:/etc/boggart/ -p 2222:2222 boggart:latest

Use SSH to retrieve credentials:

$ ssh -p 2222 boggart 'arn:aws:iam::123456789012:role/TestRole?format=shell'

Where Boggart responds with the following on success:

export BOGGART_SUCCESS=1
export BOGGART_ERROR=
export BOGGART_EXPIRES_AT='2022-04-18T12:07:41Z'
export AWS_ACCESS_KEY_ID='<access-key-id>'
export AWS_SECRET_ACCESS_KEY='<secret-access-key>'
export AWS_SESSION_TOKEN='<session-token>'

On error, the response may look like the following:

export BOGGART_SUCCESS=0
export BOGGART_ERROR='not allowed to assume arn:aws:iam::123456789012:role/TestRole'

Following parameters are supported:

Parameter Usage
format json, shell
session STS session name

Configuration

Boggart looks for configuration file at /etc/boggart/config.yml. See config.example.yml for more details on config options.

Host Key

Even though Boggart can be run without specifying a host key, not having one causes Boggart to re-generate one on every restart. This causes issues with host key pinning (aka known_hosts).

Generate host key using the following:

$ ssh-keygen -t ed25519 -N '' -f /etc/boggart/host_key 

Then configure Boggart to use it

HostKey: /etc/boggart/host_key

License

MIT