Upgrade to Pro — share decks privately, control downloads, hide ads and more …

アクセスキーの無い未来を IAM Roles Anywhereで創る @JAWS-UG Yok...

SimSta
November 15, 2023
370

アクセスキーの無い未来を IAM Roles Anywhereで創る @JAWS-UG Yokohama

SimSta

November 15, 2023
Tweet

More Decks by SimSta

Transcript

  1. ೝূہΠϯελϯεʢAmazon Linux 2023ʣͷOpenSSLόʔδϣϯ openssl.aarch64 1:3.0.8-1.amzn2023.0.9 @System openssl-libs.aarch64 1:3.0.8-1.amzn2023.0.9 @System openssl-pkcs11.aarch64

    0.4.12-3.amzn2023.0.1 @System /etc/ssl/openssl.cnfͷฤू # diff openssl.cnf openssl.cnf.org 114c114 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 216c216 < keyUsage = nonRepudiation, digitalSignature, keyEncipherment --- > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 259c259 < keyUsage = cRLSign, keyCertSign, digitalSignature --- > # keyUsage = cRLSign, keyCertSign ূ໌ॻͷ༗ޮظݶ ͓޷ΈͰมߋ VTS@DFSUͷLFZ6TBHF ίϝϯτΞ΢τ֎͢ W@DBͷLFZ6TBHF ίϝϯτΞ΢τ֎͢ EJHJUBM4JHOBUVSF௥Ճ
  2. σΟϨΫτϦͱϑΝΠϧΛ࡞੒͓ͯ͘͠ # sudo mkdir -p /etc/pki/CA/certs # sudo mkdir -p

    /etc/pki/CA/crl # sudo mkdir -p /etc/pki/CA/newcerts # sudo mkdir -p /etc/pki/CA/private # sudo chmod 700 /etc/pki/CA/private # sudo touch /etc/pki/CA/index.txt # sudo echo 01 > /etc/pki/CA/serial ೝূہͷ࡞੒ # sudo openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/ pki/CA/certs/cacert.pem -days 3650 Enter PEM pass phrase:ύεϑϨʔζΛೖྗ Verifying - Enter PEM pass phrase:ύεϑϨʔζΛೖྗ ʢதུʣ Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Hokkaido Locality Name (eg, city) [Default City]:Sapporo Organization Name (eg, company) [Default Company Ltd]:SimSta Organizational Unit Name (eg, section) []:Sim Common Name (eg, your name or your server's hostname) []:rolesanywhere Email Address []:೚ҙʢෆཁʣ ͋Δఔ౓ద౰Ͱ0, $/͸͓֮͑ͯ͜͏
  3. CAόϯυϧΛऔಘ # sudo openssl x509 -in /etc/pki/CA/certs/cacert.pem -text Certificate: Data:

    Version: 3 (0x2) ʢதུʣ X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign ʢதུʣ -----BEGIN CERTIFICATE----- MIIDwDCCAqigAwIBAgIUaI//Y1CUf+3LCvlU8C1LUsV3jTAwDQYJKoZIhvcNAQEL ʢதུʣ 5cxP5A== -----END CERTIFICATE----- ೝূہͷ࡞੒ # sudo openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/ pki/CA/certs/cacert.pem -days 3650 ৴པΞϯΧʔ࡞੒࣌ ͜͜Λίϐϖ͢Δ 7FSTJPOͰ͋Δ $"536&Ͱ͋Δ ,FZ6TBHF͕͋Δ
  4. ΤϯυΤϯςΟςΟ༻ൿີ伴Λ࡞੒ # sudo mkdir -p /etc/pki/CA/endentity # sudo openssl genrsa

    -out /etc/pki/CA/endentity/endkey.pem 2048 CSRΛ࡞੒ # sudo openssl req -new -key /etc/pki/CA/endentity/endkey.pem -out /etc/pki/CA/ endentity/endcsr.pem ʢதུʣ Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Hokkaido Locality Name (eg, city) [Default City]:Sapporo Organization Name (eg, company) [Default Company Ltd]:SimSta Organizational Unit Name (eg, section) []:Sta Common Name (eg, your name or your server's hostname) []:rolesanywhere Email Address []:೚ҙʢෆཁʣ Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:ෆཁ An optional company name []:೚ҙʢෆཁʣ ΄΅ҰॹͰ0, ύεϑϨʔζ͸ෆཁ ͋ΔͱΤϥʔʹͳΔ
  5. CAͰॺ໊ͯ͠ΤϯυΤϯςΟςΟূ໌ॻΛൃߦ # sudo openssl ca -in /etc/pki/CA/endentity/endcsr.pem -keyfile /etc/pki/CA/ private/cakey.pem

    -cert /etc/pki/CA//certs/cacert.pem -out /etc/pki/CA/ endentity/endcrt.pem -extensions usr_cert Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:CAͷύεϑϨʔζΛೖྗ Check that the request matches the signature Signature ok Certificate Details: ʢதུʣ X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment ʢதུʣ Certificate is to be certified until Nov 8 15:09:39 2033 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $"536&Ͱ͋Δ ,FZ6TBHFʹ %*HJUBM4JHOBUVF
  6. ΤϯυΤϯςΟςΟূ໌ॻʢendcert.pemʣͱൿີ伴ʢendkey.pemʣΛϩʔΧϧ΁ίϐʔ endcert.pemͷத਎ Certificate: Data: Version: 3 (0x2) Serial Number: 1

    (0x1) Signature Algorithm: sha256WithRSAEncryption ʢதུʣ X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment ʢதུʣ -----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJKUDER ʢதུʣ mfbk1xKIjqTa -----END CERTIFICATE-----
  7. Credential HelperʢSigning HelperʣΛ࢖༻ͯ͠ೝূͰ͖Δ͔ςετ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺϔϧύʔͰҎԼͷίϚϯυΛ࣮ߦ͢Δ # ./aws_signing_helper credential-process \ --certificate .ssh/endcrt.pem

    \ --private-key .ssh/endkey.pem \ --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role ੒ޭ͢ΔͱҰ࣌ΞΫηεΩʔͱγʔΫϨοτΞΫηεΩʔɺτʔΫϯ͕ฦͬͯ͘Δ {“Version":1,"AccessKeyId":"ASIAWGZVI6IWUEXAMPLE","SecretAccessKey":"IBMHdKtVbCn hmS+Wgu0LbqXq6XXxXXXxEXAMPLE","SessionToken":"IQoJb3JpZ2luX2VjENH////////// wEaDmFwLW5vcnRoZWFzdC0xIkYwRAIgcyD64b45AGCpN/ gxAEL7iUi8pcuXGfLaYKvNzuzora8CIGUpUHm6YsOsdfEc8XX2l9XsredDt9oZbRDallLVDRJMKpYECB ʢதུʣ SDm27AKZzde8p5ayy4/du5dgJzRtEz/ i24rNfjX9BHzZPghqayB4QWzZPWnZy1PD0fJg==","Expiration":"2023-11-11T18:06:59Z"} ূ໌ॻͱൿີ伴͸ DINPEͰ ֎෦ಡΈऔΓΛ๷ࢭ
  8. AWS CLIܦ༝Ͱ࢖༻͢Δ৔߹ɺ.aws/configͰҎԼͷΑ͏ʹϓϩϑΝΠϧΛઃఆ͢Δ [default] ·ͨ͸ [profile rolesanywhereʢ೚ҙʣ] credential_process = ./aws_signing_helper credential-process

    --certificate .ssh/endcrt.pem --private-key .ssh/endkey.pem --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role region = ap-northeast-1 ͜͜·ͰͰ໰୊ͳ͘ઃఆ͞Ε͍ͯΕ͹ɺ BXTTMTͳͲݖݶͷൣғ಺Ͱ BXTίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖Δʂ
  9. ৴པΞϯΧʔ *". $SFEFOUJBM)FMQFS ʢμ΢ϯϩʔυʣ ΫϥΠΞϯτ $"ূ໌ॻόϯυϧ DBDFSUQFN ϓϩϑΝΠϧ ೝূہʢ$"ʣ ΤϯυΤϯςΟςΟূ໌ॻ

    FOEDFSUQFN ൿີ伴 FOELFZQFN *".ϩʔϧ ΤϯυΤϯςΟςΟূ໌ॻͱൿີ伴͸ ΫϥΠΞϯτ୺຤Ͱ৵֐͞Εͳ͍Α͏ ద੾ʹอ؅ɾอޢ͠ͳ͚Ε͹ͳΒͳ͍ *".ϩʔϧͷݖݶ͸࠷খͰઃఆ͠Α͏ ೝূہ͸ϓϥΠϕʔτͳ৔ॴʹஔ͖ ৵֐͞Εͳ͍Α͏ʹ͢Δ ৴པΞϯΧʔͰ*".ʹҕ೚͍ͯ͠ΔͨΊ ఀࢭ͍ͯͯ͠΋ೝূʹ໰୊͸ͳ͍ ʢ1,*Ͱ࢖͏$3-͸ࠓճ࢖Θͳ͍ʣ ෆ҆ͳΒϚωʔδυͳ1$"Λ࢖͓͏ ʢֹ݄υϧPSυϧʣ ηΩϡϦςΟ্ͷݒ೦఺
  10. ৽نΩʔνΣʔϯΛ࡞੒͢Δ # security create-keychain credential-helper.keychain ΩʔνΣʔϯ༻ύεϫʔυΛ৽نͰೖྗʢ͙͢࢖͏ʣ # security unlock-keychain credential-helper.keychain

    ΩʔνΣʔϯ༻ύεϫʔυΛೖྗ # EXISTING_KEYCHAINS=$(security list-keychains | cut -d '"' -f2) security list- keychains -s credential-helper.keychain $(echo ${EXISTING_KEYCHAINS} | awk -v ORS=" " '{print $1}') PKCS#12ܗࣜͷূ໌ॻΛ࡞੒ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺopensslͰҎԼΛ࣮ߦ # openssl pkcs12 -export -legacy -inkey ./endentity/endkey.pem -in ./endentity/ endcrt.pem -out ./endentity/composite.pfx ϥοϐϯά༻ύεϫʔυΛ৽نͰೖྗʢޙͰূ໌ॻΛΠϯϙʔτ͢Δࡍʹ࢖༻ʣ ˞ҎԼɺ.BDΩʔνΣʔϯͰઃఆɻ ɹ8JOEPXTͷํ͸͝ΊΜͳ͍͞ʢ(JU)VCʹࡌͬͯ·͢ʣ ˞0QFO44-Ҏ্ͷ৔߹ɺ.BDͷΩʔνΣʔϯͱΞϧΰϦζϜͷޓ׵ੑ͕ແ͍ͨΊɺ ɹMFHBDZΦϓγϣϯΛ࢖༻͢Δ͜ͱͰಡΈࠐΈ͕Ͱ͖ΔΑ͏ʹ͢Δ
  11. ΩʔνΣʔϯʹূ໌ॻΛΠϯϙʔτ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺҎԼΛ࣮ߦ # security import ./endentity/composite.pfx -T ./aws_signing_helper -k credential-helper.keychain

    ϥοϐϯά༻ύεϫʔυΛೖྗ ੒ޭ͢ΔͱΩʔνΣʔϯʹ௥Ճ͞ΕɺҎԼίϚϯυͰূ໌ॻΛ֬ೝͰ͖Δ # ./aws_signing_helper read-certificate-data Matching identities 1) 0fd93fb177e1bd0f87d0XXXXXXXXXXXXXXXXXXXX “CN=rolesanywhere,OU=Sta,O=SimSta,ST=Hokkaido,C=JP" Credential HelperͷೝূίϚϯυΛॻ͖׵͑ͯςετ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺϔϧύʔͰҎԼͷίϚϯυΛ࣮ߦ͢Δ # ./aws_signing_helper credential-process \ —-cert-selector Key=x509Serial,Value=1 \ --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role γϦΞϧ͸্ه͔ ࣍ͷϖʔδͰ֬ೝ ͍͍ͩͨͩͱࢥ͏
  12. YubikeyͷPIVۭ͖εϩοτʹূ໌ॻΛΠϯϙʔτ ະ࢖༻ͷ৔߹ɺ9aͰOKɻ9a, 9c, 9d, 9eͷ4छྨ͋Γɺݫີʹ༻్͕ҟͳΔΒ͍͠ʁ # ykman piv certificates import

    9a ./endentity/composite.pfx Enter password to decrypt certificate: pfxͷύεϫʔυΛೖྗ Enter a management key [blank to use default key]:ۭཝ 9aεϩοτʹূ໌ॻ͕ೖ͍ͬͯΔ͜ͱΛ֬ೝ # ykman piv info Yubikey ManagerΛpipͰΠϯετʔϧ # pip install —user yubikey-manager Τϥʔ͕ൃੜͨ͠৔߹ɺҎԼͷΠϯετʔϧ͕ඞཁͳ৔߹͋Γ # brew install swig # pip install wheel ඞཁʹԠͯ͡ύεΛ௨͢ ˞ҎԼɺ.BDͰ:VCJLFZ.BOBHFSΛ࢖༻͢Δ৔߹ͷखॱɻ IUUQTEFWFMPQFSTZVCJDPDPNZVCJLFZNBOBHFS ͜͜Ͱ:VCJLFZΛૠೖ