option to limit access to an IAM group instead of all IAM users

[dylansmith]

No description provided.

[michaelwittig]

I'm not sure if this is the right place for this. why not checking when the user actually logs in? in the authorized_keys_command.sh ? or why not configuring this by not allowing the ec2 instance to fetch the public key only for certain users instead of * ?

[michaelwittig]

blank seems to be not correct. you check for ##ALL##

[michaelwittig]

why not blank?

[dylansmith]

For consistency?

[michaelwittig]

I see. so it needs to be changed in the install.sh accordingly

[shinenelson]

Aha! I was just going to open a pull request with this feature. I've implemented this in a slightly different way though. My implementation can accept multiple IAM Groups.

Check out my import-user-from-groups branch, if you're interested.

[michaelwittig]

Hi! What do you think about putting the group membership check into the authorized_keys_command.sh script? This would eliminate the issue with group member ship changes and will also apply immediately

[shinenelson]

I'd like importing users from groups so that I can fine-tune what kind of privileges that I can give them on the servers. I'd like to put one group in a chroot or restrict others to an lshell, etc. The import process and the useradd command is the best place to achieve that.

But yes, it is appropriate to authorized_keys_command too. I'll open a pull request in a while. 😉

[michaelwittig]

I see, The two requirements are:

• allow only a subset of users to login
• configure local users depending in the group membership

The first one seems simpler by checking for the group membership in authorized_keys_command.
The second one seems more complicated because the user needs to configure group restrictions outside of IAM I guess.

I'm wondering if it would be possible to store the configuration in the IAM group as well.

[shinenelson]

I just opened pull request #23 that implemented the authorization strategy from AWS IAM groups from with the authorized_keys_command.

The second one seems more complicated because the user needs to configure group restrictions outside of IAM I guess.

That part seems pretty straight-forward with my implementation in my import-user-from-groups branch. I'm using the same on my production environment as well. I have a lot of users on my account that don't need to have access to any of my EC2 Instances. What's the point of creating users for them on the instances if they're not going to be used? (that's partly a security concern as well).

[mvanbaak]

Putting it in the authorized_keys_command makes logging in to the instance even slower than it already is. While it has it's advantage (like michaelwittig said) it has, in my opinion, a very big downside. All the API calls done in the shellscript while logging in makes it too slow. I tried and got a lot of complaints from developers that they thought the instances were acting up.

I like the way it is done in the import-user-from-groups branch better.

[michaelwittig]

@shinenelson Is their a open PR with your import-user-from-groups branch? Maybe I'm missing something?

[shinenelson]

@shinenelson Is their a open PR with your import-user-from-groups branch? Maybe I'm missing something?

No, I just mentioned it in #19 (comment) since this pull request was already open and you had already commented an alternate strategy. However, I did open pull request #23 following your suggestion.

[michaelwittig]

#24 was merged as discussed in #28