-
-
Notifications
You must be signed in to change notification settings - Fork 289
option to limit access to an IAM group instead of all IAM users #19
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if this is the right place for this. why not checking when the user actually logs in? in the authorized_keys_command.sh
? or why not configuring this by not allowing the ec2 instance to fetch the public key only for certain users instead of * ?
install.sh
Outdated
@@ -13,6 +13,11 @@ cd $tmpdir/aws-ec2-ssh | |||
cp authorized_keys_command.sh /opt/authorized_keys_command.sh | |||
cp import_users.sh /opt/import_users.sh | |||
|
|||
# To control which users are given access, uncomment the line below changing | |||
# GROUPNAME to the name of the IAM group for users. If you leave it blank, all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
blank seems to be not correct. you check for ##ALL##
@@ -1,5 +1,18 @@ | |||
#!/bin/bash | |||
|
|||
# Specify an IAM group for users who should be given access, or leave this with | |||
# the value '##ALL##' to give access to all IAM users. | |||
UsersGroup="##ALL##" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not blank?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. so it needs to be changed in the install.sh accordingly
Aha! I was just going to open a pull request with this feature. I've implemented this in a slightly different way though. My implementation can accept multiple IAM Groups. Check out my import-user-from-groups branch, if you're interested. |
Hi! What do you think about putting the group membership check into the authorized_keys_command.sh script? This would eliminate the issue with group member ship changes and will also apply immediately |
I'd like importing users from groups so that I can fine-tune what kind of privileges that I can give them on the servers. I'd like to put one group in a But yes, it is appropriate to |
I see, The two requirements are:
The first one seems simpler by checking for the group membership in authorized_keys_command. I'm wondering if it would be possible to store the configuration in the IAM group as well. |
I just opened pull request #23 that implemented the authorization strategy from AWS IAM groups from with the
That part seems pretty straight-forward with my implementation in my import-user-from-groups branch. I'm using the same on my production environment as well. I have a lot of users on my account that don't need to have access to any of my EC2 Instances. What's the point of creating users for them on the instances if they're not going to be used? (that's partly a security concern as well). |
Putting it in the I like the way it is done in the |
@shinenelson Is their a open PR with your import-user-from-groups branch? Maybe I'm missing something? |
No, I just mentioned it in #19 (comment) since this pull request was already open and you had already commented an alternate strategy. However, I did open pull request #23 following your suggestion. |
No description provided.