This service will allow applications to create and manage AWS IAM accounts without ever having access to the main account's credentials. This opens up new possibilities for mobile and client-side applications to use AWS services on the author's behalf, without having to register or be charged separately. Without some sort of third-party service hosting and serving the keys, this is not possible in many situations.
- Open
app.yaml
and change the value of theapplication
field to a Google App Engine application id registered to you. - Open
credentials.py
and fill in your main AWS credentials. - Open
permissions.py
and fill in the groups you want the service to be able to add users to. - Run
appcfg.py update .
to upload the application to the Google App Engine servers.
At the moment, only the following operation(s) are supported:
/create_user?group=group_name
- Creates a new user in the groupgroup_name
. If there are no errors, the response will be a string of the formaws_access_key_id:aws_secret_access_key
which can be used immediately.
To prevent DDOS attacks against your service, awskeyserver optionally supports PolicyHandlers that can present various challenges to clients which they must pass in order to obtain a key. The following are currently supported:
- reCAPTCHA: If a
CaptchaValidator
is assigned to a group, a request will be met with a reCAPTCHA challenge id instead. The client must use the id to fetch the corresponding reCAPTCHA image, and send the response to awskeyserver, where it will be verified. If it passes, only then will the account key be created and returned.
At the moment, the created account has no permissions. Eventually, permissions.py
will be expanded to define rules for groups based on various factors.
awskeyserver was thought up and written by Adrian Petrescu (apetresc@gmail.com). Please contact me with any questions or suggestions.