This service will allow applications to create and manage AWS IAM accounts without ever having access to the main account's credentials. This opens up new possibilities for mobile and client-side applications to use AWS services on the author's behalf, without having to register or be charged separately. Without some sort of third-party service hosting and serving the keys, this is not possible in many situations.
app.yamland change the value of the
applicationfield to a Google App Engine application id registered to you.
credentials.pyand fill in your main AWS credentials.
permissions.pyand fill in the groups you want the service to be able to add users to.
appcfg.py update .to upload the application to the Google App Engine servers.
At the moment, only the following operation(s) are supported:
/create_user?group=group_name- Creates a new user in the group
group_name. If there are no errors, the response will be a string of the form
aws_access_key_id:aws_secret_access_keywhich can be used immediately.
To prevent DDOS attacks against your service, awskeyserver optionally supports PolicyHandlers that can present various challenges to clients which they must pass in order to obtain a key. The following are currently supported:
- reCAPTCHA: If a
CaptchaValidatoris assigned to a group, a request will be met with a reCAPTCHA challenge id instead. The client must use the id to fetch the corresponding reCAPTCHA image, and send the response to awskeyserver, where it will be verified. If it passes, only then will the account key be created and returned.
At the moment, the created account has no permissions. Eventually,
permissions.py will be expanded to define rules for groups based on various factors.
awskeyserver was thought up and written by Adrian Petrescu (firstname.lastname@example.org). Please contact me with any questions or suggestions.