diff options
author | Mike Crute <mike@crute.us> | 2020-05-30 15:07:34 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2020-05-30 15:07:45 -0700 |
commit | 8a09fdda0e211bc4f2a10aad0b5f0814cf925a51 (patch) | |
tree | 840c539f6f7cb11a1d38edd22e8d8dd92d8794da | |
parent | 90f7408fc781bd233c0075a0a4dd555022b58636 (diff) | |
download | alpine-ec2-ami-8a09fdda0e211bc4f2a10aad0b5f0814cf925a51.tar.bz2 alpine-ec2-ami-8a09fdda0e211bc4f2a10aad0b5f0814cf925a51.tar.xz alpine-ec2-ami-8a09fdda0e211bc4f2a10aad0b5f0814cf925a51.zip |
Add identity broker docs
-rw-r--r-- | README_BROKER.md | 175 | ||||
-rwxr-xr-x | scripts/builder.py | 7 |
2 files changed, 182 insertions, 0 deletions
diff --git a/README_BROKER.md b/README_BROKER.md new file mode 100644 index 0000000..13e1af3 --- /dev/null +++ b/README_BROKER.md | |||
@@ -0,0 +1,175 @@ | |||
1 | # AWS Identity Broker | ||
2 | |||
3 | The identity broker is used to obtain short-lived and per-region credentials | ||
4 | for an account. Opt-in regions require the use of a long-lived credential (e.g. | ||
5 | IAM user), enabling global STS tokens, or an STS token sourced in that region. | ||
6 | The identity broker holds long-term credentials and uses them to acquire | ||
7 | short-term credentials in a given region. The broker also provides a list of | ||
8 | opt-in regions and should be used to enumerate regions. | ||
9 | |||
10 | For human-interactive users the identity broker performs OAUTH against GitHub | ||
11 | to chain the user's GitHub identity to the tokens they are given from the | ||
12 | broker. The broker also provides the user an API key to use when interacting | ||
13 | with the broker programmatically. | ||
14 | |||
15 | As of May 2020 the identity broker is not open sourced. If you want to provide | ||
16 | your own identity broker, the rest of this document specifies the URLs | ||
17 | endpoints and response formats to do so. | ||
18 | |||
19 | # The API | ||
20 | |||
21 | The identity broker API is a REST-ful service with an entry-point of | ||
22 | `/api/account`. All further navigation through the API follows links within the | ||
23 | hypertext. | ||
24 | |||
25 | **Note:** Outside of the account entry-point, URI formats should be considered | ||
26 | implementation details of the broker API and should never be templated. Beyond | ||
27 | the account entry-point, nothing in this specification is normative with | ||
28 | respect to URI paths and locations. | ||
29 | |||
30 | ## Authentication | ||
31 | |||
32 | All requests to the API must be authenticated with a broker-specific key. That | ||
33 | key is provided to the broker in the `X-API-Key` header. When the broker | ||
34 | determines that the key is either expired or invalid it must redirect the user | ||
35 | to `/logout` to indicate that the user is logged out and must log-in again. | ||
36 | |||
37 | API keys are bearer tokens and thus must only be exchanged over HTTPS. | ||
38 | |||
39 | ## Status Codes | ||
40 | |||
41 | `200 OK`: indicates that the request to the broker was successful. | ||
42 | |||
43 | `302 Found`: indicates that the broker is providing a redirect. Users should | ||
44 | check the redirect, if it is to the location `/logout` the user should consider | ||
45 | themselves logged out and proceed to login. This condition should not be | ||
46 | followed. Otherwise the user should follow all redirects. | ||
47 | |||
48 | `400 Bad Request`: indicates that some part of the request is invalid as | ||
49 | submitted. The hypertext MAY provide a description of this error and how to | ||
50 | remedy it. | ||
51 | |||
52 | `429 Rate Limit Exceeded`: indicates that the broker has rate-limited the user. | ||
53 | A user should discontinue requests to the broker immediately and wait for at | ||
54 | least 30 seconds before continuing their requests. The rate limit parameters | ||
55 | are specific to the broker and not controlled by this spec. | ||
56 | |||
57 | `500 Server Error`: indicates a server error condition that is not under the | ||
58 | user's control. | ||
59 | |||
60 | ## Account End-point | ||
61 | |||
62 | The account end-point acts as a index of the rest of the API. It presents a | ||
63 | list of accounts to which the user has access as well as links to navigate | ||
64 | further into the API. The format of this document is: | ||
65 | |||
66 | `short_name` (string): a url-safe name for the account, used as the primary | ||
67 | account identifier within the broker. | ||
68 | |||
69 | `account_number` (integer): the AWS account number | ||
70 | |||
71 | `name` (string): a user-friendly name for the account | ||
72 | |||
73 | `console_redirect_url` (uri): a URI that, when followed, leads to a resource | ||
74 | that redirects the user to an authenticated console session. | ||
75 | |||
76 | `get_console_url` (uri): a URI that, when followed, leads to a console URL | ||
77 | resource. | ||
78 | |||
79 | `credentials_url` (uri): a URI that, when followed, leads to a region list | ||
80 | resource. | ||
81 | |||
82 | `global_credential_url` (uri): a URI that, when followed, leads to a credential | ||
83 | resource which provides a credential usable by all non-opt-in regions. The | ||
84 | contents of this resource are a STS global credential which is not usable in | ||
85 | opt-in regions. | ||
86 | |||
87 | ``` | ||
88 | [ | ||
89 | { | ||
90 | "short_name": "primary-account", | ||
91 | "account_number": 123456789012, | ||
92 | "name": "Primary AWS Account", | ||
93 | "console_redirect_url": "https://broker/api/account/primary-account/console?redirect=1", | ||
94 | "get_console_url": "https://broker/api/account/primary-account/console", | ||
95 | "credentials_url": "https://broker/api/account/primary-account/credentials", | ||
96 | "global_credential_url": "https://broker/api/account/primary-account/credentials/global" | ||
97 | } | ||
98 | ] | ||
99 | ``` | ||
100 | |||
101 | ## Console URL Resource | ||
102 | |||
103 | **Note:** This resource is not used by the build scripts. | ||
104 | |||
105 | The console URL resource provides a URL to the AWS console. This resource is | ||
106 | designed for interactive use. | ||
107 | |||
108 | When provided the query parameter `redirect` with a value of `1` this resource | ||
109 | will not generate a body and will instead redirect to the URL that would have | ||
110 | been returned for `console_url`. | ||
111 | |||
112 | `console_url` (uri): a link to the AWS console with authentication credentials | ||
113 | embedded. | ||
114 | |||
115 | ``` | ||
116 | { | ||
117 | "console_url": "https://signin.aws.amazon.com/federation?..." | ||
118 | } | ||
119 | ``` | ||
120 | |||
121 | ## Credential Resource | ||
122 | |||
123 | The credential resource provides a set of credentials that can be used to | ||
124 | configure AWS tools to access an account. | ||
125 | |||
126 | `access_key` (string): the AWS access key ID | ||
127 | |||
128 | `secret_key` (string): the AWS secret access key | ||
129 | |||
130 | `session_token` (string): the AWS session token | ||
131 | |||
132 | `expiration` (iso-formatted date): the date and time when the credential will | ||
133 | expire | ||
134 | |||
135 | ``` | ||
136 | { | ||
137 | "access_key": "ASIA123ABC456DEF567G", | ||
138 | "secret_key": "r7KcIuGdPwoUG2YOLISX2XDrVts55IFGTGaY5Tqa", | ||
139 | "session_token": "7C7FyvzyneaS/eRCVDcjHOSTTIHQyvhGqW...", | ||
140 | "expiration": "2020-01-01T00:00:00Z" | ||
141 | } | ||
142 | ``` | ||
143 | |||
144 | ## Region List Resource | ||
145 | |||
146 | The region list resource provides a list of regions associated with the account | ||
147 | both opted-in and not. For opted-in regions the resource includes a link to a | ||
148 | credential resource for that region. | ||
149 | |||
150 | `name` (string): AWS name for the region | ||
151 | |||
152 | `enabled` (boolean): indicates if the region is enabled and opted-in for this | ||
153 | account. | ||
154 | |||
155 | `credentials_url` (uri): a URI that, when followed, leads to a credential | ||
156 | resource containing a credential for access to that region. The credential | ||
157 | provided will be usable against the region-local STS endpoint for the specified | ||
158 | region. This also applies for classic regions, which typically use a global | ||
159 | endpoint and credential. The returned credential is scoped to the acquiring | ||
160 | region and may not be usable against the global endpoints or a different | ||
161 | regional endpoint. | ||
162 | |||
163 | ``` | ||
164 | [ | ||
165 | { | ||
166 | "name": "af-south-1", | ||
167 | "enabled": false | ||
168 | }, | ||
169 | { | ||
170 | "name": "us-west-2", | ||
171 | "enabled": true, | ||
172 | "credentials_url": "https://broker/api/account/primary-account/credentials/us-west-2" | ||
173 | } | ||
174 | ] | ||
175 | ``` | ||
diff --git a/scripts/builder.py b/scripts/builder.py index 6ab9ed7..c249ba9 100755 --- a/scripts/builder.py +++ b/scripts/builder.py | |||
@@ -54,6 +54,13 @@ import pyhocon | |||
54 | 54 | ||
55 | 55 | ||
56 | class IdentityBrokerClient: | 56 | class IdentityBrokerClient: |
57 | """Client for identity broker | ||
58 | |||
59 | Export IDENTITY_BROKER_ENDPOINT to override the default broker endpoint. | ||
60 | Export IDENTITY_BROKER_API_KEY to specify an API key for the broker. | ||
61 | |||
62 | See README_BROKER.md for more information and a spec. | ||
63 | """ | ||
57 | 64 | ||
58 | _DEFAULT_ENDPOINT = "https://aws-access.crute.us/api/account" | 65 | _DEFAULT_ENDPOINT = "https://aws-access.crute.us/api/account" |
59 | _DEFAULT_ACCOUNT = "alpine-amis-user" | 66 | _DEFAULT_ACCOUNT = "alpine-amis-user" |