AWS Credential management
Go Shell Ruby Makefile HTML
Clone or download
nonspecialist Merge pull request #83 from nonspecialist/master
Do not break if there are no credential files in a dir (Issue #81)
Latest commit 26a3439 Sep 6, 2016
Permalink
Failed to load latest commit information.
bash Reorg source (issue #72) Jun 14, 2014
debian-pkg/DEBIAN Debian pkg also requires bash-completion Jun 5, 2014
doc Add notes for developing on OSX Jun 23, 2014
osx-pkg Generate OSX package Jun 23, 2014
pkgs Reorg source (issue #72) Jun 14, 2014
rpm New build method for libgit2 for git2go breaks inside mock for some r… Jul 10, 2014
scripts Generate OSX package Jun 23, 2014
testdata Reorg source (issue #72) Jun 14, 2014
.gitchangelog.rc First cut at generating a CHANGELOG using gitchangelog May 21, 2014
.gitignore Ignore appley bits Jun 23, 2014
.travis.yml Need to have the cloned source inside GOPATH, I think Jul 9, 2014
Dockerfile Add a Dockerfile for a Travis-like build instance Jul 8, 2014
LICENSE Initial commit May 12, 2014
Makefile Make the mock part work with git2go Jun 21, 2014
README.md Add info on policies necessary to make credulous work Aug 6, 2014
VERSION Version bump since we now support a different on-disk format (issue #60) Jun 12, 2014
aws_iam.go First cut at rotation Jun 10, 2014
aws_iam_test.go Refactor aws_iam to make it testable, and add some tests; fix Issue #33 May 19, 2014
credentials.go Do not break if there are no credential files in a dir (Issue #81) Jul 10, 2014
credentials_test.go Added a function on FileLister Jun 30, 2014
credulous.go Pass a long slab of args as a struct instead, for legibility Jul 8, 2014
credulous_test.go Initial commit May 12, 2014
crypto.go Encrypt with AES and a random key, protected by the private key (issue Jun 12, 2014
crypto_test.go Fix testkey path after reorg Jun 14, 2014
git.go Do not break if a dir IS a repo Jul 8, 2014
git_test.go Add a test for the non-repo dir check Jul 8, 2014
utils.go Support listing creds in git repo and sourcing from specific repo Jun 30, 2014

README.md

Credulous

credulous is a command line tool that manages AWS (IAM) Credentials securely. The aim is to encrypt the credentials using a user's public SSH Key so that only the user who has the corresponding private SSH key is able to see and use them. Furthermore the tool will also enable the user to easily rotate their current credentials without breaking the user's current workflow.

Main Features

  • Your IAM Credentials are securely encrypted on disk.
  • Easy switching of Credentials between Accounts/Users.
  • Painless Credential rotation.
  • Enables rotation of Credentials by external application/service.
  • No external runtime dependencies beyond minimal platform-specific shared libraries

Installation

For Linux (.RPM or .DEB packages)

Download your Linux package

For OSX

If you are using Homebrew you can follow these steps to install Credulous

  1. localhost$ brew install bash-completion
  2. Add the following lines to your ~/.bash_profile:
if [ -f $(brew --prefix)/etc/bash_completion ]; then
    . $(brew --prefix)/etc/bash_completion
fi
  1. localhost$ brew install https://raw.githubusercontent.com/realestate-com-au/credulous-brew/master/credulous.rb
  2. Add the following lines to your ~/.bash_profile:
if [ -f $(brew --prefix)/etc/profile.d/credulous.sh ]; then
    . $(brew --prefix)/etc/profile.d/credulous.sh
fi

Command completion

Command completion makes credulous much more convenient to use.

OSX: brew install bash-completion

Centos: Enable EPEL repo and install bash-completion

Debian/Ubuntu: bash-completion is installed and enabled by default. Enjoy!

Usage

Credentials need to have the right to inspect the account alias, list access keys and examine the username of the user for whom they exist. An IAM policy snippet like this will grant sufficient permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermitViewAliases",
            "Effect": "Allow",
            "Action": [ "iam:ListAccountAliases" ],
            "Resource": "*"
        },
        {
            "Sid": "PermitViewOwnDetails",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccessKeys",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

You can have a look at the manual page, if that's your thing.

Storing your current credentials in Credulous

$ export AWS_ACCESS_KEY_ID=YOUR_AWS_ID
$ export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXX
$ credulous save # Will ask credulous to store these credentials
# saving credentials for user@account

Displaying a set of credentials from Credulous

$ credulous source -a account -u user
export AWS_ACCESS_KEY_ID=YOUR_AWS_ID
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXX

Development

Build Status

Required tools:

Make sure you have GOPATH set in your environment

Download the dependencies

$ go get -u # -u will update existing dependencies

Install git2go (Optional if you already have it installed correctly in your environment)

$ go get github.com/libgit2/git2go
$ cd $GOPATH/src/github.com/libgit2/git2go && rm -rf vendor/libgit2
$ git submodule update --init
$ mkdir -p $GOPATH/src/github.com/libgit2/git2go/vendor/libgit2/install/lib
$ make install
# Run dependency update again for credulous
$ cd $GOPATH/src/github.com/realestate-com-au/credulous && go get -u

Install the binary in your $GOBIN

$ go install

Tests

First we make sure we have our dependencies

go get -t

Make sure goconvey is installed, else use

go get -t github.com/smartystreets/goconvey

Just go into this directory and either

goconvey
< Go to localhost:8080 in your browser >

Or just run

go test ./...

Roadmap

See here

Credulous Security