Skip to main content

A Python 3 tool to fetch secure strings from the aws parameter store and injecting those into environment variables.

Project description

AEnv former CredoPy!

OS RunsOn RunsOn Open Source

AEnv

Installation

pip install aenv

# For old pydo package:
pip install credopy

No passwords in code!

Make your company more secure by using the "troy password credo"!

Easier said than done working with credentials can get very messy and lead to huge security and data protection problems. So while working at troy gmbh it became clear that we had to define some fundamental rules to maintain a high level of security during fast growth phases. This brought up the "troy password credo".

troy password credo:

You may ask "What is the famous troy password credo?" It's very simple: Never store credentials unencrypted!

Let's get started

Working with Credentials can be fun, but from a security perspective, most of the time it isn't! Especially if you have multiple systems and different environments.

If you're using the AWS cloud you found the right repository!

AEnv is a tool that injects aws parameter store strings and secure strings into your memory as an environment variable. With this, your important credentials/security keys/... never have to touch your disk again.

And because the parameter store supports paths you can define different services with different environments.

For example:

/<Environment>/<KotlinApp1>/

#which could look like:
/Prod/CustomerManagement/DB/USER

#or
/Prod/CustomerManagement/DB/PASSWORD

Output these example data (The database password for CustomerManagement in production ):

aenv -e Prod -s CustomerManagement echo '$SECRET_CUSTOMERMANAGEMENT_DB_PASSWORD'

With both parameters, your "CustomerManagement" application/service (launched with aenv) could now access the database with the provided username and password.

Details at: How to access the environment variables

Usage

aenv [-s <service/application>] [-i] [-n] [-e <env>] [-t <2fa key>] [-T] [-Y] [-u <aws username>] [-a <account number>] [-p <aws profile>] [-r <region>] <command>

Options:

Option explination sample comment
-h Shows help aenv -h
-i Starts aenv in interactive mode aenv -i Gives you a command line that you can interact with
-s <service/application> For which service should the environment variables be loaded? aenv -s CustomerService
-S Sets a default service for aenv and writes it to a config file aenv -S CustomerService from now on "CustomerService" is the default service which means "-s CustomerService" is redundant
-n Do not query the parameter store at all aenv -n Can be used to auth the current session with MFA
-e <env> For which environment should the environment variables be loaded? For example Dev, Test or Prod (permission required) aenv -e Prod
-t <2fa key> Takes the 2FA key from your aws account aenv -t 987123
-T Lets you type in the 2FA key from your aws account during runtime aenv -T When you run your command aenv will ask for the token
-Y Uses Yubikey for MFA auth aenv -Y During runtime aenv will use ykman to fetch the MFA-Key from your yubikey
-r <region> Overwrites temporary the awscli default region aenv -r eu-central-1 aenv will use the given region for example Frankfurt
-q Quiet mode (less output) aenv -q
-u <aws username> Sets a specific username combined with -a gives you a faster runtime (otherwise this data needs to be retrieved via aws) aenv -u user@example.de
-a <account number> Sets a specific account number combined with -u gives you a faster runtime (otherwise this data needs to be retrieved via aws) aenv -a 999999999999
-p <aws profile> If multiple aws profiles are available you can choose the profile otherwise aenv will use the default profile aenv -p testUser1
-c <aws profile> Container mode(enable this to make aenv work in ecs and codebuild) aenv -c permissions
<command> Is the command to execute with environment variables injected. aenv code Will run VS Code with access to given environment variables

Note: It may be required to double escaping.

Examples:

Linux:

aenv echo '$SECRET_CUSTOMERSERVICE_UI_URL'

or

Windows:

aenv echo %SECRET_CUSTOMERSERVICE_UI_URL%

Mac:

aenv "/Applications/IntelliJ\ IDEA\ CE.app/Contents/MacOS/idea"

Note the quoting of the variable.

Enforce MFA authentication for AWS feature / function

Add the condition "MultiFactorAuthPresent" to your IAM permission:

    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}

Sample for sts:AssumeRole:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"AWS": "ACCOUNT-B-ID"},
    "Action": "sts:AssumeRole",
    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
  }
}

Now you need MFA authentication to run assume role commands. Sample call for this would be:

aenv -q -n -Y aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

# -q removes the unnecessary output
# -n puts aenv in only authentication mode
# -Y authenticates the session with your YubiKey, alternatively you could use -t or -T

Enforce MFA authentication for all Prod parameters

To enforce MFA authentication for all Prod parameters.

(Do not forget to adapt to account ID(123456789098) to your own ;) )

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:DeleteParameter",
                "ssm:GetParameterHistory",
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:ListTagsForResource",
                "ssm:GetParameter",
                "ssm:DeleteParameters"
            ],
            "Resource": [
                "arn:aws:ssm:*:123456789098:parameter/Prod/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        }
    ]
}

Format for these environment variables:

Every environment variable that is loaded with aenv starts with "SECRET_".

Then the service-name and path, separated by underliners.

(of course in upper case)

For example:

SECRET_CUSTOMERMANAGEMENT_DB_USER

More about environment variables: Guide to Unix/Environment Variables

This is maybe made more clear by the following example:

/Prod/CustomerManagement/DB/USER

would be accessible with:

SECRET_CUSTOMERMANAGEMENT_DB_USER

or

/Prod/CustomerManagement/DB/PASSWORD

would be accessible with:

SECRET_CUSTOMERMANAGEMENT_DB_PASSWORD

Environments

We now talked a lot about environments, but how can aenv differ between different environments like dev, test, or prod?

Quite simply, you tell it!

Parameterstore:

As already mentioned you Define the environment as the first section.

Let's take the previous example:

/Prod/CustomerManagement/DB/PASSWORD

here "Prod" is our environment for the database(DB) password (PASSWORD) of our CustomerManagement service/application, but we could easily also set this for our test environment like this:

/Test/CustomerManagement/DB/PASSWORD

(When creating new parameters don't forget to create them as "SecureString's" ;) )

Bonus content:

Converting parameter store strings to secure strings Found this in my old files, before using this test and make sure it really works but with this snippet, you should be able to convert every normal parameter store string to a secure string.

No guarantee for functionality, make sure you have a backup of the parameter store variables

import boto3
client = boto3.client('ssm')
response = client.describe_parameters()
nameList = []
dic = {}
dic_descr = {}

for p in response['Parameters']:
    nameList.append(p['Name'])
    dic_descr[p['Name']] = p.get('Description')

nextToken_Str = response['NextToken']

while nextToken_Str:
    response = client.describe_parameters(NextToken=nextToken_Str)
    
    for p in response['Parameters']:
        nameList.append(p['Name'])
        dic_descr[p['Name']] = p.get('Description')
    
    nextToken_Str = response.get('NextToken', None)
        
for name in nameList:
    response = client.get_parameter(Name=name, WithDecryption=True)
    dic[name] = response.get('Parameter').get('Value')


for name in dic:
    if dic_descr[name] is not None:
        print(client.put_parameter(
            Name=name,
            Description=dic_descr[name],
            Value=dic[name],
            Type='SecureString',
            Overwrite=True
        ))
    else:
        print(client.put_parameter(
            Name=name,
            Value=dic[name],
            Type='SecureString',
            Overwrite=True
        ))

Client/You

With

aenv -e <env>

you can launch aenv for every in the parameterstore defined environment.

If you don't set any aenv swtiches to "Dev"

AWS Server

when aenv runs on an aws machine you could run it with "-e <env>" but this is rather inconvenient. So aenv queries the instance tags and searches for the key "environment" and uses its value as the current environment. If the environment tag is not set and you did not provide an environment with "-e" aenv automatically defaults to "Dev"

How to access the environment variables

To access those environment variables you have to run your application/service with aenv.

aenv java -jar service.jar
//or
aenv python service2.py

Now these two services have all environment variables for their service and environment available and can work with them here are two easy examples:

Python:

import os
os.getenv('SECRET_CUSTOMERMANAGEMENT_DB_PASSWORD')

#or let's say you want to fetch an API, but need an API token in a header request:
....

header = { 'Api-Key' : os.getenv('SECRET_CUSTOMERMANAGEMENT_API_KEY') }
....

Kotlin:

val envVar : String? = System.getenv("varname")
//there are some other examples feel free to look into https://stackoverflow.com/ but I like this approach because environment variables can be null, bus null handling probably comes down to your use-case/coding style.

Authentication

AWS Server:

Easy! Done by boto3 automatically uses in instance role defined permissions.

(Details "Permissions" section)

Developer:

boto3 uses the aws CLI's authentication so make sure you set this up before ;)

AWS CLI

By default, aenv uses the aws CLI default profile, but of course, you can choose the profile, that you want to use, simply do:

aenv -p <awscli profile name>
#or 
aenv -h 
#to see more configuration options

(More details in the "Usage" section)

MFA

First of all multi-factor authentication is highly suggested!

https://lmgtfy.com/?q=why+mfa+is+important

Ok, all jokes aside especially for production parameters your IAM users should require MFA authentication at least for production parameters.

So even when a password/account from one of your users gets compromised and let's be realistic here, this will definitely happen to your company/project so better prepare for that event!

"How can we mitigate the damage"

At least in my humble opinion, this should be a "better be safe than sorry" point.

Especially for your production systems!

AEnv supports multiple MFA options, details in the "Usage" section, here the short overview:

# normal virtual mfa token:
aenv -t <TOKEN>

#askt for the token during runtime:
aenv -T

# leads to:
$ aenv -T
$ Please enter token: 

#Yubikey Authenticator:
aenv -Y

At the moment aws-CLI only supports virtual MFA devices(so the -Y option uses the virtual MFA function of your yubikey (ykman) as a workaround until awscli supports hardware tokens ), but feel free to drop a comment or investigate here:

https://github.com/aws/aws-cli/issues/3607

Permissions: IAM policies / Instance roles

Permission Used in the code Documentation Comment
"ec2:DescribeTags" clientEC2.describe_tags() https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTags.html
"sts:GetCallerIdentity" clientSTS.get_caller_identity() https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html Optional(No permissions are required to perform this operation.)
"sts:GetSessionToken" clientSTS.get_session_token() https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
"ssm:GetParametersByPath" clientSSMMFA.get_parameters_by_path() https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html
"iam:ListMFADevices" boto3.client('iam').list_mfa_devices() https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html Optional! (At the moment not in use but as soon aws API supports hardware tokens this can be enabled to let aenv support hardware MFA's)

tldr Minimal permissions:

“ec2:DescribeTags”

“sts:GetSessionToken”

“ssm:GetParametersByPath”

Setup

  1. Define environment variables as described in Format for these environment variables
  2. Set environment tag's for your instances as described in AWS Server
  3. Create/adjust your instance roles/IAM roles with proper permissions as described in

Permissions

Todo

  • introduce new pip package "aenv" (last update to https://pypi.org/project/credopy/) + and rework repo
  • Add better logo
  • Update and correct -h / --help output
  • Add regex filter for only loading specific variables
  • Add regex filter to leave out variables from loading
  • remove -q and add -v mode
  • Update initial setup instructions + consol output for this(ykman + output for missing service)
  • Option to list all available environments / services(discover/list env / list services)
  • Check for ykman on -Y calls improve output
  • get rid of environment detection and only rely on -e flag (also no default + better output for missing environment)
  • Currently only the fist MFA device of any given account is used -> add mfa device selection + option for default selection
  • cleanup/refactor documentation / improve overal structure
  • add only only auth mode
  • Add more information about container mode and necessary IAM permissions
  • Enhance local profile/config setup/usage
  • Load multiple services at once instead of concatenating multiple aenv calls ( "aenv -s Service1 aenv -s Service2 ")
  • Load environment tags for ECS container / for task
  • Add testing
  • Add feature for only loading certain variables to speed up loading

Acknowledgments

Inspired by:

Bug reports:

License

MIT Link

Support me :heart: :star: :money_with_wings:

If this project provided value, and you want to give something back, you can give the repo a star or support by buying me a coffee.

Buy Me A Coffee

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aenv-2.0.0.tar.gz (18.6 kB view details)

Uploaded Source

File details

Details for the file aenv-2.0.0.tar.gz.

File metadata

  • Download URL: aenv-2.0.0.tar.gz
  • Upload date:
  • Size: 18.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.8

File hashes

Hashes for aenv-2.0.0.tar.gz
Algorithm Hash digest
SHA256 e8cd6e18fb6bc80a5556bc1aa8b0d9e23c6e94620feb3ebef32dd6c7af54f38e
MD5 fe4838de20601aa0a412db07e8e60dd0
BLAKE2b-256 b38fa4e08c838b467dcf7a5ca6d6be6328d5c7bc4bb41f5f9e97646f2b817904

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page