This furnace project provides code to create a configurable Bastion which gets user data from AWS IAM.
After everything is installed a new user must be configured to use the AWS services. This should preferrably be a user who has no other access.
Also, the default region must be exported like AWS_REGION=eu-central-1.
This Bastion should not be accessible from the outside.
The CloudFormation stack is creating a Role which will include temporary credentials for this operation alone.
The role is an AssumeRole which includes a Policy that has access to user's configured public keys.
Those credentials can be accessed via this link:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/Bastion-AssumeRole-1U8WD180GKEU0 >> creds.json
This should result in something like this:
{
"Code" : "Success",
"LastUpdated" : "2018-10-09T20:40:12Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "asdf",
"SecretAccessKey" : "asdf",
"Token" : "asdf=",
"Expiration" : "2018-10-10T03:14:51Z"
}
We can extract this with jq and put it into our aws credentials file.
cat creds.json | jq .SecretAccessKey
cat creds.json | jq .AccessKeyId
Edit the sshd_config file to look like this:
AuthorizedKeysCommand /etc/ssh/authorized_keys.rb %u %t %k
AuthorizedKeysCommandUser root
The script must have root permissions like 0555.
The script compares the offered keys public key with the public key gathered for the user.
If either the username or the offered key type or the public key that is derived from the private key the user is using does not match with the record in AWS IAM user record, then SSH is refused.