A Python 3 tool to fetch secure strings from the aws parameter store and injecting those into environment variables.
Project description
AEnv former CredoPy!
Installation
-
Install python3 and pip
-
Install aenv:
pip install aenv
# For old pydo package:
pip install credopy
-
For YubiKey support install the YubiKey Manager CLI
-
On Windows setup Boto3 credentials
No passwords in code!
Make your company more secure by using the "troy password credo"!
Easier said than done working with credentials can get very messy and lead to huge security and data protection problems. So while working at troy gmbh it became clear that we had to define some fundamental rules to maintain a high level of security during fast growth phases. This brought up the "troy password credo".
troy password credo:
You may ask "What is the famous troy password credo?" It's very simple: Never store credentials unencrypted!
Let's get started
Working with Credentials can be fun, but from a security perspective, most of the time it isn't! Especially if you have multiple systems and different environments.
If you're using the AWS cloud you found the right repository!
AEnv is a tool that injects aws parameter store strings and secure strings into your memory as an environment variable. With this, your important credentials/security keys/... never have to touch your disk again.
And because the parameter store supports paths you can define different services with different environments.
For example:
/<Environment>/<KotlinApp1>/
#which could look like:
/Prod/CustomerManagement/DB/USER
#or
/Prod/CustomerManagement/DB/PASSWORD
Output these example data (The database password for CustomerManagement in production ):
aenv -e Prod -s CustomerManagement echo '$SECRET_CUSTOMERMANAGEMENT_DB_PASSWORD'
With both parameters, your "CustomerManagement" application/service (launched with aenv) could now access the database with the provided username and password.
Details at: How to access the environment variables
Usage
aenv [-s <service/application>] [-i] [-n] [-e <env>] [-t <2fa key>] [-T] [-Y] [-u <aws username>] [-a <account number>] [-p <aws profile>] [-r <region>] <command>
Options:
Option | explination | sample | comment |
---|---|---|---|
-h | Shows help | aenv -h | |
-i | Starts aenv in interactive mode | aenv -i | Gives you a command line that you can interact with |
-s <service/application> | For which service should the environment variables be loaded? | aenv -s CustomerService | |
-S | Sets a default service for aenv and writes it to a config file | aenv -S CustomerService | from now on "CustomerService" is the default service which means "-s CustomerService" is redundant |
-n | Do not query the parameter store at all | aenv -n | Can be used to auth the current session with MFA |
-e <env> | For which environment should the environment variables be loaded? For example Dev, Test or Prod (permission required) | aenv -e Prod | |
-t <2fa key> | Takes the 2FA key from your aws account | aenv -t 987123 | |
-T | Lets you type in the 2FA key from your aws account during runtime | aenv -T | When you run your command aenv will ask for the token |
-Y | Uses Yubikey for MFA auth | aenv -Y | During runtime aenv will use ykman to fetch the MFA-Key from your yubikey |
-r <region> | Overwrites temporary the awscli default region | aenv -r eu-central-1 | aenv will use the given region for example Frankfurt |
-q | Quiet mode (less output) | aenv -q | |
-u <aws username> | Sets a specific username combined with -a gives you a faster runtime (otherwise this data needs to be retrieved via aws) | aenv -u user@example.de | |
-a <account number> | Sets a specific account number combined with -u gives you a faster runtime (otherwise this data needs to be retrieved via aws) | aenv -a 999999999999 | |
-p <aws profile> | If multiple aws profiles are available you can choose the profile otherwise aenv will use the default profile | aenv -p testUser1 | |
-c <aws profile> | Container mode(enable this to make aenv work in ecs and codebuild) | aenv -c | permissions |
<command> | Is the command to execute with environment variables injected. | aenv code | Will run VS Code with access to given environment variables |
Note: It may be required to double escaping.
Examples:
Linux:
aenv echo '$SECRET_CUSTOMERSERVICE_UI_URL'
or
Windows:
aenv echo %SECRET_CUSTOMERSERVICE_UI_URL%
Mac:
aenv "/Applications/IntelliJ\ IDEA\ CE.app/Contents/MacOS/idea"
Note the quoting of the variable.
Enforce MFA authentication for AWS feature / function
Add the condition "MultiFactorAuthPresent" to your IAM permission:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
Sample for sts:AssumeRole:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "ACCOUNT-B-ID"},
"Action": "sts:AssumeRole",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
}
Now you need MFA authentication to run assume role commands. Sample call for this would be:
aenv -q -n -Y aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session
# -q removes the unnecessary output
# -n puts aenv in only authentication mode
# -Y authenticates the session with your YubiKey, alternatively you could use -t or -T
Enforce MFA authentication for all Prod parameters
To enforce MFA authentication for all Prod parameters.
(Do not forget to adapt to account ID(123456789098) to your own ;) )
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:GetParameterHistory",
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:ListTagsForResource",
"ssm:GetParameter",
"ssm:DeleteParameters"
],
"Resource": [
"arn:aws:ssm:*:123456789098:parameter/Prod/*"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "*"
}
]
}
Format for these environment variables:
Every environment variable that is loaded with aenv starts with "SECRET_".
Then the service-name and path, separated by underliners.
(of course in upper case)
For example:
SECRET_CUSTOMERMANAGEMENT_DB_USER
More about environment variables: Guide to Unix/Environment Variables
This is maybe made more clear by the following example:
/Prod/CustomerManagement/DB/USER
would be accessible with:
SECRET_CUSTOMERMANAGEMENT_DB_USER
or
/Prod/CustomerManagement/DB/PASSWORD
would be accessible with:
SECRET_CUSTOMERMANAGEMENT_DB_PASSWORD
Environments
We now talked a lot about environments, but how can aenv differ between different environments like dev, test, or prod?
Quite simply, you tell it!
Parameterstore:
As already mentioned you Define the environment as the first section.
Let's take the previous example:
/Prod/CustomerManagement/DB/PASSWORD
here "Prod" is our environment for the database(DB) password (PASSWORD) of our CustomerManagement service/application, but we could easily also set this for our test environment like this:
/Test/CustomerManagement/DB/PASSWORD
(When creating new parameters don't forget to create them as "SecureString's" ;) )
Bonus content:
Converting parameter store strings to secure strings Found this in my old files, before using this test and make sure it really works but with this snippet, you should be able to convert every normal parameter store string to a secure string.
No guarantee for functionality, make sure you have a backup of the parameter store variables
import boto3
client = boto3.client('ssm')
response = client.describe_parameters()
nameList = []
dic = {}
dic_descr = {}
for p in response['Parameters']:
nameList.append(p['Name'])
dic_descr[p['Name']] = p.get('Description')
nextToken_Str = response['NextToken']
while nextToken_Str:
response = client.describe_parameters(NextToken=nextToken_Str)
for p in response['Parameters']:
nameList.append(p['Name'])
dic_descr[p['Name']] = p.get('Description')
nextToken_Str = response.get('NextToken', None)
for name in nameList:
response = client.get_parameter(Name=name, WithDecryption=True)
dic[name] = response.get('Parameter').get('Value')
for name in dic:
if dic_descr[name] is not None:
print(client.put_parameter(
Name=name,
Description=dic_descr[name],
Value=dic[name],
Type='SecureString',
Overwrite=True
))
else:
print(client.put_parameter(
Name=name,
Value=dic[name],
Type='SecureString',
Overwrite=True
))
Client/You
With
aenv -e <env>
you can launch aenv for every in the parameterstore defined environment.
If you don't set any aenv swtiches to "Dev"
AWS Server
when aenv runs on an aws machine you could run it with "-e <env>" but this is rather inconvenient. So aenv queries the instance tags and searches for the key "environment" and uses its value as the current environment. If the environment tag is not set and you did not provide an environment with "-e" aenv automatically defaults to "Dev"
How to access the environment variables
To access those environment variables you have to run your application/service with aenv.
aenv java -jar service.jar
//or
aenv python service2.py
Now these two services have all environment variables for their service and environment available and can work with them here are two easy examples:
Python:
import os
os.getenv('SECRET_CUSTOMERMANAGEMENT_DB_PASSWORD')
#or let's say you want to fetch an API, but need an API token in a header request:
....
header = { 'Api-Key' : os.getenv('SECRET_CUSTOMERMANAGEMENT_API_KEY') }
....
Kotlin:
val envVar : String? = System.getenv("varname")
//there are some other examples feel free to look into https://stackoverflow.com/ but I like this approach because environment variables can be null, bus null handling probably comes down to your use-case/coding style.
Authentication
AWS Server:
Easy! Done by boto3 automatically uses in instance role defined permissions.
(Details "Permissions" section)
Developer:
boto3 uses the aws CLI's authentication so make sure you set this up before ;)
By default, aenv uses the aws CLI default profile, but of course, you can choose the profile, that you want to use, simply do:
aenv -p <awscli profile name>
#or
aenv -h
#to see more configuration options
(More details in the "Usage" section)
MFA
First of all multi-factor authentication is highly suggested!
https://lmgtfy.com/?q=why+mfa+is+important
Ok, all jokes aside especially for production parameters your IAM users should require MFA authentication at least for production parameters.
So even when a password/account from one of your users gets compromised and let's be realistic here, this will definitely happen to your company/project so better prepare for that event!
"How can we mitigate the damage"
At least in my humble opinion, this should be a "better be safe than sorry" point.
Especially for your production systems!
AEnv supports multiple MFA options, details in the "Usage" section, here the short overview:
# normal virtual mfa token:
aenv -t <TOKEN>
#askt for the token during runtime:
aenv -T
# leads to:
$ aenv -T
$ Please enter token:
#Yubikey Authenticator:
aenv -Y
At the moment aws-CLI only supports virtual MFA devices(so the -Y option uses the virtual MFA function of your yubikey (ykman) as a workaround until awscli supports hardware tokens ), but feel free to drop a comment or investigate here:
https://github.com/aws/aws-cli/issues/3607
Permissions: IAM policies / Instance roles
Permission | Used in the code | Documentation | Comment |
---|---|---|---|
"ec2:DescribeTags" | clientEC2.describe_tags() | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTags.html | |
"sts:GetCallerIdentity" | clientSTS.get_caller_identity() | https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html | Optional(No permissions are required to perform this operation.) |
"sts:GetSessionToken" | clientSTS.get_session_token() | https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html | |
"ssm:GetParametersByPath" | clientSSMMFA.get_parameters_by_path() | https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html | |
"iam:ListMFADevices" | boto3.client('iam').list_mfa_devices() | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html | Optional! (At the moment not in use but as soon aws API supports hardware tokens this can be enabled to let aenv support hardware MFA's) |
tldr Minimal permissions:
“ec2:DescribeTags”
“sts:GetSessionToken”
“ssm:GetParametersByPath”
Setup
- Define environment variables as described in Format for these environment variables
- Set environment tag's for your instances as described in AWS Server
- Create/adjust your instance roles/IAM roles with proper permissions as described in
Permissions
Todo
- introduce new pip package "aenv" (last update to https://pypi.org/project/credopy/) + and rework repo
- Add better logo
- Update and correct -h / --help output
- Add regex filter for only loading specific variables
- Add regex filter to leave out variables from loading
- remove -q and add -v mode
- Update initial setup instructions + consol output for this(ykman + output for missing service)
- Option to list all available environments / services(discover/list env / list services)
- Check for ykman on -Y calls improve output
- get rid of environment detection and only rely on -e flag (also no default + better output for missing environment)
- Currently only the fist MFA device of any given account is used -> add mfa device selection + option for default selection
- cleanup/refactor documentation / improve overal structure
- add only only auth mode
- Add more information about container mode and necessary IAM permissions
- Enhance local profile/config setup/usage
- Load multiple services at once instead of concatenating multiple aenv calls ( "aenv -s Service1 aenv -s Service2 ")
- Load environment tags for ECS container / for task
- Add testing
- Add feature for only loading certain variables to speed up loading
Acknowledgments
Inspired by:
Bug reports:
License
MIT Link
Support me :heart: :star: :money_with_wings:
If this project provided value, and you want to give something back, you can give the repo a star or support by buying me a coffee.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file aenv-2.0.0.tar.gz
.
File metadata
- Download URL: aenv-2.0.0.tar.gz
- Upload date:
- Size: 18.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.8
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | e8cd6e18fb6bc80a5556bc1aa8b0d9e23c6e94620feb3ebef32dd6c7af54f38e |
|
MD5 | fe4838de20601aa0a412db07e8e60dd0 |
|
BLAKE2b-256 | b38fa4e08c838b467dcf7a5ca6d6be6328d5c7bc4bb41f5f9e97646f2b817904 |