I can't find a way to list IAM users with the following info:
Username
Key age
Password age
Last login
MFA Enabled
last use
key Active?
I have tried aws iam list-users but that doesn't tell me much.
Is this possible using the AWS CLI? If so, how?
I will put in an answer, since 4 people have voted, unfairly I think, to close the question.
The short answer is, no, there's no one command you can use to do this, and I can understand why that's confusing and surprising.
Some of this info can be found in the credential report using:
aws iam generate-credential-report
aws iam get-credential-report
See the docs for how to programmatically obtain the credentials report (ref).
From there you can get:
mfa_active
access_key_1_active
access_key_1_last_used_date
access_key_1_last_rotated
password_last_used
password_last_changed
Some other info can be found in the list-access-keys subcommand:
▶ aws iam list-access-keys --user-name alex
{
"AccessKeyMetadata": [
{
"UserName": "alex",
"Status": "Active",
"CreateDate": "XXXX-XX-XXT01:33:31Z",
"AccessKeyId": "XXXXXXXX"
}
]
}
Thus, you can get the "Status" and "CreateDate" from here too using commands like:
aws iam list-access-keys --user-name alex \
--query "AccessKeyMetadata[].CreateDate" \
--output text
More info again can be found in:
▶ aws iam get-login-profile --user-name alex
{
"LoginProfile": {
"UserName": "alex",
"CreateDate": "XXXX-XX-XXT01:33:31Z",
"PasswordResetRequired": false
}
}
You can also get the access key last used date this way:
access_key_id=$(aws iam list-access-keys \
--user-name alex \
--query "AccessKeyMetadata[].AccessKeyId" \
--output text)
aws iam get-access-key-last-used \
--access-key-id $access_key_id
For example of output:
{
"UserName": "alex",
"AccessKeyLastUsed": {
"Region": "XXXXXX",
"ServiceName": "iam",
"LastUsedDate": "XXXX-XX-XXT05:28:00Z"
}
}
I think that covers all the fields you asked about. Obviously, you would need to write a bit of code around all this to get it all together.
Related
How can I check for exec authorization using kubectl auth can-i ...?
While get, create, delete, etc. are considered verbs, exec is not, as shown below:
$ kubectl --kubeconfig=config-prod.yml auth can-i exec po
Warning: verb 'exec' is not a known verb
yes
Is exec authorization included in another authorization, like create?
Usually when someone is creating RBAC rules and wants to check which verbs are available for resource using:
$ kubectl api-resources -o wide | grep pods
pods po v1 true Pod [create delete deletecollection get list patch update watch]
However it's not all. If you will use bit different approach like below:
$ kubectl proxy &
Starting to serve on 127.0.0.1:8001
curl http://localhost:8001/api/v1
{
"kind": "APIResourceList",
"groupVersion": "v1",
"resources": [
{
...
### You will be able to find `pods` and verbs which can be used with pods
{
"name": "pods",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
],
"shortNames": [
"po"
### But also `pod/exec` and `pod/logs`
{
"name": "pods/exec",
"singularName": "",
"namespaced": true,
"kind": "PodExecOptions",
"verbs": [
"create",
"get"
]
},
{
"name": "pods/log",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"get"
]
In Using RBAC Authorization - Referring to resources you can find information about subresource.
In the Kubernetes API, most resources are represented and accessed using a string representation of their object name, such as pods for a Pod. RBAC refers to resources using exactly the same name that appears in the URL for the relevant API endpoint. Some Kubernetes APIs involve a subresource, such as the logs for a Pod
In this Documentation, you have an example with pods/logs but a similar situation is for pods/exec.
If you will use command:
$ kubectl auth can-i create pods/exec
yes
$ kubectl auth can-i get pods/exec
yes
## Or
$ kubectl auth can-i get pods --subresource=exec
yes
$ kubectl auth can-i create pods --subresource=exec
yes
Above outputs don't include Warning as I used verbs (get and create) from pods/exec. So that's the correct syntax, use verb and then subresource.
Why are both outputs yes? I used an admin role.
If you want to make some tests you can create ServiceAccount (test), Role and RoleBinding. Role yamls below:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec-view-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get"]
Outputs of auth can-i:
$ kubectl auth can-i create pods/exec --as=system:serviceaccount:default:test
no
$ kubectl auth can-i get pods/exec --as=system:serviceaccount:default:test
yes
About the difference between create pods/exec and get pods/exec you can check github thread Users can exec into pods with the websocket endpoint even without pods/exec create privileges. Especially in #liggitt comment:
So the verb used with the pods/exec subresource is just supposed to indicate what HTTP method is used with that API endpoint?
That is how all the resource verbs work (with get mapping to specific verbs in the special cases list and watch). See https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
So an admin building an RBAC role is expected to look at the code and figure out which HTTP methods are supported for the websocket exec endpoint?
No, the subresources and associated verbs should be included in the API doc. That would be worth an issue against https://github.com/kubernetes/website/issues/ to fix the generator to pick up those subresources
Hope it answered your question. If you still have questions, let me know.
I am trying to create an SFTP user with the help of AWS CLI in my Linux Box.
Below is the AWS CLI command which I am passing in my bash script (my ssh public key is in a file, with the help of variable I am passing same into AWS CLI options section)
customer_name_pub_value=$(cat /home/developer/naman/dir/$customer_name.pub)
aws transfer create-user --user-name $customer_name --home-directory script-test/power-archive-ireland/$customer_name/ --server-id s-aaabbbccc --ssh-public-key-body $customer_name_pub_value --tags 'Key=Product,Value="demo",Key=Environment,Value=dev,Key=Contact,Value="dev.user#domain.com",Key=Service,Value="sftp"' --role customer-sftp-role
Below is the ERROR which I am facing while executing above commands:
[developer#dev-lin demo]$ aws transfer create-user --user-name $customer_name --home-directory script-test/power-archive-ireland/$customer_name/ --server-id s-aaabbbccc --ssh-public-key-body $customer_name_pub_value --tags 'Key=Product,Value="demo",Key=Environment,Value=dev,Key=Contact,Value="dev.user#domain.com",Key=Service,Value="sftp"' --role customer-sftp-role
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
Unknown options: developer#dev-lin.domain.com, XXXXXXXXXXAB3NzaC1yc2EAAAADAQABAAABAQCm2hI3Y33K1GVbdQV0lfkm/klZRJS7Kcz8+53e/BoIbVMFH0jqm1aejELDFgPnN7HvIZ/csYGzF/ssTx5lXVaHQh/qkYwfqQBg8WvXVB0Jmogj1hr6z5M8Qy/3oCx0fSmh6e/Ekfk8vHhiHQlGZV3o8a2AW5SkP8IH/OgT6Bq+SMuB+xtSciVBZqSLI0OgYtOZ0MyxBzfLau1Tyegu5lVFevZDVjecnIaS4l+v2VIQ/OgaZ40oAI3NuRZ2EdnLqEqFyLjasx4kcuwNzD5oaXAU6T9UsqKN2rVLMKrXXXXXXXXXXX
Am I missing something bash syntax while passing option value!
UPDATE 30-March-2020
as per suggestions in below comments, I have added AWS ARN Role in command, now facing different issue than previous
CODE:
customer_name='demo'
customer_name_pub_value=$(cat /home/developer/naman/dir/$customer_name.pub)
aws transfer create-user --user-name $customer_name --home-directory script-test/power-archive-ireland/$customer_name/ --server-id s-aaabbbccc --ssh-public-key-body "$customer_name_pub_value" --tags 'Key=Product,Value="demo",Key=Environment,Value=dev,Key=Contact,Value="dev.user#domain.com",Key=Service,Value="sftp"' --role "arn:aws:iam::8XXXXXXXXX2:role/customer-sftp-role"
ERROR
An error occurred (ValidationException) when calling the CreateUser operation: 1 validation error detected: Value 'script-test/power-archive-ireland/demo/' at 'homeDirectory' failed to satisfy constraint: Member must satisfy regular expression pattern: ^$|/.*
Yes, for the final bug, you should feed it as a list of objects:
--tags [{Key="Product", Value="demo"}, {Key="Environment", Value="dev"}, {Key="Contact", Value="dev.user#domain.com"}, {Key="Service", Value="sftp"
You may need to put "Key" and "Value" in quotes or even perhaps have to try key:value pairs (i.e. {"Product": "demo"}), but this should be the general syntax.
Below is the final working CLI command:
Changes
Added ROLE ARN (Thanks #user1394 for the suggestion)
Biggest issue resolved by placing / before --home-directory option (bad AWS documentation (https://docs.aws.amazon.com/cli/latest/reference/transfer/create-user.html) and their out-dated RegEx ^$|/.*)
Transform the broken CLI into JSON based CLI to fix the final bug (not all the tags were able to attach in old command)
#!/bin/bash
customer_name='demo'
customer_name_pub_value=$(cat /home/developer/naman/dir/$customer_name.pub)
aws transfer create-user \
--user-name $customer_name \
--server-id s-aaabbbccc \
--role "arn:aws:iam::8XXXXXXXXX2:role/customer-sftp-role" \
--ssh-public-key-body "$customer_name_pub_value" \
--home-directory /script-test/power-archive-ireland/$customer_name \
--tags '[
{"Key": "Product", "Value": "demo"},
{"Key": "Environment", "Value": "dev"},
{"Key": "Contact", "Value": "dev.user#domain.com"},
{"Key": "Service", "Value": "sftp"}
]'
My IAM account has "admin" privilege, at least supposedly. I can perform all operations as far as I can tell in web console. For example,
Recently I downloaded aws-cli and quickly configured it by supplying access keys, default region and output format. I then tried to issue some commands and found most of them, but not all, have permission issues. For example
$ aws --version
aws-cli/1.16.243 Python/3.7.4 Windows/10 botocore/1.12.233
$ aws s3 ls s3://test-bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws ec2 describe-instances
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
$ aws iam get-user
{
"User": {
"Path": "/",
"UserName": "xxx#xxx.xxx",
"UserId": "xxxxx",
"Arn": "arn:aws:iam::nnnnnnnnnn:user/xxx#xxx.xxx",
"CreateDate": "2019-08-21T17:09:25Z",
"PasswordLastUsed": "2019-09-21T16:11:34Z"
}
}
It appears to me that cli, which is authenticated using access key, has a different permission set from web console, which is authenticated using MFA.
Why is permission inconsistent between CLI and GUI? How to make it consistent?
It turns out following statement in one of my policies blocked CLI access due to lacking MFA.
{
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Resource": "*",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Sid": "DenyAllExceptListedIfNoMFA"
},
If you replace BoolIfExists with Bool, it should work. Your CLI requests would not be denied because of not using MFA.
Opposite of https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
To remain really secure check this good explanation: MFA token for AWS CLI
In few steps
Get a temporary 36 hours session token.
aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user --token-code code-from-token
{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}
Save these values in a mfa profile configuration.
[mfa]
aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-Token-as-in-returned-output
Call with the profile
aws --profile mfa
Ps: Don't do the cron job as suggested, it goes again the security.
I had this same issue and I fixed it by adding my user to a new group with administrator access in IAM.
to do this go to IAM, Users, click on your user and then [add permissions]
in the next screen click [Create group] and then pick administrator access
I am trying to make a connection to MongoDB with a dynamically created username and password in node-vault.
For eg. in https://www.vaultproject.io/docs/secrets/databases/mongodb.html
Vault docs, there we create dynamic username and password to log in like:
$ vault read database/creds/my-role
Key Value
--- -----
lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9ad944a8d4de6
lease_duration 1h
lease_renewable true
password 8cab931c-d62e-a73d-60d3-5ee85139cd66
username v-root-e2978cd0-
How can I have this behaviour using node-vault so that I can access MongoDB?
I did this using their go http client. Since node-vault is also http client using node.js. So i think procedure will be same.
First enable database(if it not enabled).
$ vault secrets enable database.
api for this: https://www.vaultproject.io/api/system/mounts.html#enable-secrets-engine.
Write mongodb config
$ vault write database/config/my-mongodb-database \
plugin_name=mongodb-database-plugin \
allowed_roles="my-role" \
connection_url="mongodb://{{username}}:{{password}}#mongodb.acme.com:27017/admin?ssl=true" \
username="admin" \
password="Password!"
api for this: https://www.vaultproject.io/api/secret/databases/mongodb.html#configure-connection
Configure a role to create the database credential
$ vault write database/roles/my-role \
db_name=my-mongodb-database \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
default_ttl="1h" \
max_ttl="24h"
api for this: https://www.vaultproject.io/api/secret/databases/index.html#create-role
Generate a new credential by reading from the /creds endpoint
$ vault read database/creds/my-role
api for this: https://www.vaultproject.io/api/secret/databases/index.html#generate-credentials
Here https://github.com/kr1sp1n/node-vault/blob/master/example/mount_postgresql.js they do quite similar thing for postgreSQL in node-vault github repo.
I would like to use SSM Parameters in Serverless Variables.
Following the docs, I ran this command:
aws ssm put-parameter --name foo --value bar --type SecureString
And I added this to my serverless.yml:
custom:
foo: ${ssm:foo}
When I deploy, I get this warning however:
Serverless Warning --------------------------------------
A valid SSM parameter to satisfy the declaration 'ssm:foo' could not be found.
How do I access this variable? Thanks!
I needed to set the same region for both the serverless function, as well as the ssm variable assignment:
aws ssm put-parameter --name foo--value bar --type SecureString --region us-east-1
if the parameter is a SecureString, you need to add ~true after the path to the parameter on the serverless.yml file, as explained here: https://serverless.com/framework/docs/providers/aws/guide/variables#reference-variables-using-the-ssm-parameter-store
This will tell the framework to decrypt the value. Make sure that you have permissions to use the key used to encrypt the parameter.
Check your IAM policy. To get the parameters, the user doing the deployment needs access to SSM. This offers full access. See the docs to narrow it down a bit (ie: GetParameters, GetParameter).
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": [
"*"
]
Add this to the provider section in serverless.yml file
iamRoleStatements:
- Effect: "Allow"
Action:
- "ssm:GetParameters"
Resource: "*"
to use SSM variables, you need to prefix /aws/reference/secretsmanager/
example
${ssm:/aws/reference/secretsmanager/${self:provider.stage}/service/mysecret~true}