Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to prepare the Yubikey and IAM role #3

Open
christophetd opened this issue Jun 10, 2022 · 0 comments
Open

Document how to prepare the Yubikey and IAM role #3

christophetd opened this issue Jun 10, 2022 · 0 comments

Comments

@christophetd
Copy link

christophetd commented Jun 10, 2022
edited
Loading

Hello!

I'm trying out cloudkey with a Yubikey 5C NFC on Mac OS and I'm experiencing a few issues / things I had to find out by myself that I'd love to contribute to in the documentation. Let me know what you think!

image

Enrollment

When running cloudkey, here's what I get:

$ ./cloudkey enrol --identity yubikey --role breakglass
Enter your PIN for 'Yubico YubiKey CCID':
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x460609c]

goroutine 1 [running]:
github.com/aidansteele/cloudkey/cmds.EnrolCmd(0xc000358280, {0x4785981?, 0x4?, 0x4?})
	/Users/christophe/workspace/cloudkey/cmds/enrol_cmd.go:57 +0x4bc

To make it work, I had to follow the following:

  1. Set a non-default PIN code for the PIV interface
ykman piv access change-pin --pin 123456 --new-pin XXXX
  1. Generate a new management key:
$ ykman piv access change-management-key --generate --protect
Enter the current management key [blank to use default key]:
Enter PIN: XXXX
  1. Then only enrollment worked:
$ ./cloudkey enrol --identity yubikey --role breakglass2
Generated new private key in card authentication slot
Verified that private key is stored in Yubico device
Sending certificate signing request to AWS IoT
Received certificate from AWS IoT with ID: 715bf1e65ebdaeab78a130ea11c23fcac32020307eca06473149f480c348ad46
Stored certificate on device
Attached role names: breakglass2

Credentials

I wasn't familiar with IoT so I had to search around to understand how to make it work.

  1. Create an IAM role with the following trust policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "credentials.iot.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

for better security and to avoid relying on the IoT authorization, you can also specify the specific certificate ID of the Yubikey:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "credentials.iot.amazonaws.com"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
			    "StringEquals": {
			        "sts:RoleSessionName": "715bf1e65ebdaeab78a130ea11c23fcac32020307eca06473149f480c348ad46"
			    }
			}
		}
	]
}
  1. Then run cloudkey credentials breakglass2

Requiring touch

I wasn't able to find how to require a touch to retrieve credentials. Any idea?

Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@christophetd