Skip to content

Document how to prepare the Yubikey and IAM role #3

New issue
New issue
Open
Open
Document how to prepare the Yubikey and IAM role#3
@christophetd

Description

@christophetd
christophetd
opened on Jun 10, 2022

Hello!

I'm trying out cloudkey with a Yubikey 5C NFC on Mac OS and I'm experiencing a few issues / things I had to find out by myself that I'd love to contribute to in the documentation. Let me know what you think!

image

Enrollment

When running cloudkey, here's what I get:

$ ./cloudkey enrol --identity yubikey --role breakglass
Enter your PIN for 'Yubico YubiKey CCID':
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x460609c]

goroutine 1 [running]:
github.com/aidansteele/cloudkey/cmds.EnrolCmd(0xc000358280, {0x4785981?, 0x4?, 0x4?})
	/Users/christophe/workspace/cloudkey/cmds/enrol_cmd.go:57 +0x4bc

To make it work, I had to follow the following:

  1. Set a non-default PIN code for the PIV interface
ykman piv access change-pin --pin 123456 --new-pin XXXX
  1. Generate a new management key:
$ ykman piv access change-management-key --generate --protect
Enter the current management key [blank to use default key]:
Enter PIN: XXXX
  1. Then only enrollment worked:
$ ./cloudkey enrol --identity yubikey --role breakglass2
Generated new private key in card authentication slot
Verified that private key is stored in Yubico device
Sending certificate signing request to AWS IoT
Received certificate from AWS IoT with ID: 715bf1e65ebdaeab78a130ea11c23fcac32020307eca06473149f480c348ad46
Stored certificate on device
Attached role names: breakglass2

Credentials

I wasn't familiar with IoT so I had to search around to understand how to make it work.

  1. Create an IAM role with the following trust policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "credentials.iot.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

for better security and to avoid relying on the IoT authorization, you can also specify the specific certificate ID of the Yubikey:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "credentials.iot.amazonaws.com"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
			    "StringEquals": {
			        "sts:RoleSessionName": "715bf1e65ebdaeab78a130ea11c23fcac32020307eca06473149f480c348ad46"
			    }
			}
		}
	]
}
  1. Then run cloudkey credentials breakglass2

Requiring touch

I wasn't able to find how to require a touch to retrieve credentials. Any idea?

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions