{
    "info": {
        "author": "Karl Gutwin",
        "author_email": "karl@bioteam.net",
        "bugtrack_url": null,
        "classifiers": [
            "Operating System :: POSIX :: Linux",
            "Programming Language :: Python :: 3"
        ],
        "description": "# ec2userkeyd\n\nAutomatically provide EC2 users with personalized credentials via a\nlocal daemon intercepting requests to the EC2 metadata service.\n\n## Motivation\n\nCurrently accepted security best practice for AWS EC2 instances is to\ngrant them *instance IAM roles*, which allows applications on those\ninstances to use AWS services without needing to hard-code IAM user\nsecret access keys. Unfortunately, this carries with it the\nimplication that all users on a given EC2 instance ought to have the\nsame permissions to AWS APIs, which is not always the case. For\nexample, a shared analytics instance may have multiple users who each\nneed to have access to different S3 buckets. Therefore, there is a\nneed, in certain circumstances, to grant different IAM credentials to\ndifferent users local to an instance.\n\nThe most obvious solution to this problem, currently, is to revert\nback to the former practice of embedding IAM user secret access keys\non the instance. However, this means manually managing a fleet of\nsecret access keys and protecting those keys with file permissions.\nFurthermore, the keys are likely not to be rotated on a defined\nschedule, increasing the risk of compromise through the leak of a\nlong-lived credential.\n\nThis application provides another potential solution. By using NAT via\n`iptables`, it intercepts HTTP requests destined to the EC2 metadata\nservice and responds with short-lived credentials that are specific to\nthe originating process's user ID. Multiple methods of translating\nfrom UNIX usernames to AWS credentials are supported, depending on\nyour AWS IAM typical practices.\n\n# Credential Methods\n\nThis daemon supports multiple different methods of translating from\nUNIX users to AWS credentials. You can chain these methods, so that a\nfailure to retrieve credentials via the first method will fall back to\nthe second method in the list, and so on. You can also have different\nchains for individual users or ranges of UIDs.\n\nThe currently supported methods are:\n\n### UserRole\n\nThis method tries to AssumeRole to an IAM role that matches a pattern,\nwhich defaults to `user-{username}`. This should be used if you can\neasily maintain roles that correspond to your users, or if you are\ntrying to enable reduced privileges for a local service account.\n\nThe only instance role permissions required for this method are\n`sts:AssumeRole`. Additionally, you should ensure that the role to be\nassumed has an Assume Role Policy Document that grants access to the\ninstance role. The following policy grants access to a specific\ninstance role:\n\n    {\n        \"Version\": \"2012-10-17\",\n        \"Statement\": [{\n            \"Action\": \"sts:AssumeRole\",\n            \"Principal\": \"arn:aws:iam::123456789012:role/my-instance-role\",\n            \"Effect\": \"Allow\"\n        }]\n    }\n    \nChanging the Principal above to `arn:aws:iam::123456789012:role/*`\nwould allow any role in the account with `sts:AssumeRole` privileges\nto use the role.\n\n### CreateUserRole\n\nThis method behaves similarly to UserRole, except that it\nautomatically maintains user roles that parallel IAM users. It is able\nto synchronize the policies attached to user roles with those defined\non the IAM users, and it can create new roles if necessary.\n\nThis method requires the following permissions to be granted to the\ninstance role:\n\n* `sts:AssumeRole`\n* `sts:GetCallerIdentity`\n* `iam:CreateRole`\n* `iam:List*`\n* `iam:GetPolicy`\n* `iam:GetPolicyVersion`\n* `iam:GetRolePolicy`\n* `iam:GetGroupPolicy`\n* `iam:AttachRolePolicy`\n* `iam:PutRolePolicy`\n\nIf the config option `instance_role_linked` inside\n`method_CreateUserRole` is set to True, then only the role that\ncreates the user role can access it; otherwise, any role in the\naccount can access the created user role.\n\n### RestrictedInstanceRole\n\nThis method attempts to AssumeRole to the current instance role, while\npassing a set of additional restrictive policies that are derived from\nthe policies discovered from an IAM user. The resulting permissions\nwill be no greater than those given to the instance role. This method\nis most suitable for users with small attached policies, since the\nPolicy parameter to AssumeRole is limited to 2KB, or smaller,\ndepending on the policy's packed size. \n\nBecause of the tight policy size restrictions with this method, there\nis an optional compression feature available that tries to reduce the\nsize of the policy parameter by eliminating unneeded statements, such\nas overlapping Deny statements. This is controlled by the\n`compress_user_policy` parameter within\n`method_RestrictedInstanceRole`.\n\nThis method requires the following permissions to be granted to the\ninstance role:\n\n* `sts:AssumeRole`\n* `sts:GetCallerIdentity`\n* `iam:GetPolicy`\n* `iam:GetPolicyVersion`\n* `iam:GetUserPolicy`\n* `iam:GetGroupPolicy`\n* `iam:ListUserPolicies`\n* `iam:ListGroupsForUser`\n* `iam:ListGroupPolicies`\n* `iam:ListAttachedUserPolicies`\n* `iam:ListAttachedGroupPolicies`\n\nIf `compress_user_policy` is enabled, then additional permissions are\nrequired:\n\n* `iam:GetRolePolicy`\n* `iam:ListRolePolicies`\n* `iam:ListAttachedRolePolicies`\n\n### InstanceRole\n\nThis method passes through the instance role privileges, with optional\npolicy restrictions. It can be used, for example, as the last method\nin a chain so that users (typically local service accounts) that don't\nmatch earlier methods can get privileges as defined by the instance\nrole.\n\nIt is important to note that if this method is used as a fallback for\none of the preceding role-based methods, it may be possible for a user\nto use instance role privileges to call AssumeRole, and therefore gain\naccess to another user's privileges. To avoid this, the method has an\noption (default enabled) to deny AssumeRole access by generating new\ncredentials with a small attached policy. \n\nThis additional restriction requires the following permissions to be\ngranted to the instance role:\n\n* `sts:AssumeRole`\n* `sts:GetCallerIdentity`\n\nThe instance role should also have an Assume Role Policy Document that\ngrants access to itself; see the discussion in UserRole for details.\n\n\n# Getting Started\n\n## Requirements\n\nThis app requires Python 3.6 or greater to run, which should be\navailable in your distribution's package repository. \n\nOn Amazon Linux:\n\n    $ sudo yum -y install python3 python3-pip\n\nOnly Linux is supported at this time.\n\n## Installation\n\nInstall from PyPI via `pip`:\n\n    $ sudo pip3 install ec2userkeyd\n    \n## Configuration\n\nThe application configuration defaults are shown in\n`ec2userkeyd/config.py`. These settings can be overridden by creating\na config file (default location: `/etc/ec2userkeyd.conf`) in INI-style\nformat.\n\n## Startup\n\nTo test run the app, call it with the `daemon` argument.\n\n    $ sudo /usr/local/bin/ec2userkeyd daemon\n\nIt will run in the foreground until killed. \n\nTo autostart, refer to your distribution's init system.",
        "description_content_type": "text/markdown",
        "docs_url": null,
        "download_url": "",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "",
        "keywords": "",
        "license": "",
        "maintainer": "",
        "maintainer_email": "",
        "name": "ec2userkeyd",
        "package_url": "https://pypi.org/project/ec2userkeyd/",
        "platform": "",
        "project_url": "https://pypi.org/project/ec2userkeyd/",
        "project_urls": null,
        "release_url": "https://pypi.org/project/ec2userkeyd/0.5.0/",
        "requires_dist": null,
        "requires_python": ">=3.6",
        "summary": "EC2 user credential daemon",
        "version": "0.5.0"
    },
    "last_serial": 4454135,
    "releases": {
        "0.5.0": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "42b22592e50a2bb4ec09e694554bce00",
                    "sha256": "d55c4edbe9fbe7f6fbf97bb5bc1c3eab7b32ed4720745c51f2903f166ac08bd9"
                },
                "downloads": -1,
                "filename": "ec2userkeyd-0.5.0.tar.gz",
                "has_sig": false,
                "md5_digest": "42b22592e50a2bb4ec09e694554bce00",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": ">=3.6",
                "size": 22433,
                "upload_time": "2018-11-05T18:41:53",
                "url": "https://files.pythonhosted.org/packages/1e/15/5f1e5aafc1d6accdf0c870607c04fae462073d6fe30f582f5f60c5ae2aa2/ec2userkeyd-0.5.0.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "42b22592e50a2bb4ec09e694554bce00",
                "sha256": "d55c4edbe9fbe7f6fbf97bb5bc1c3eab7b32ed4720745c51f2903f166ac08bd9"
            },
            "downloads": -1,
            "filename": "ec2userkeyd-0.5.0.tar.gz",
            "has_sig": false,
            "md5_digest": "42b22592e50a2bb4ec09e694554bce00",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.6",
            "size": 22433,
            "upload_time": "2018-11-05T18:41:53",
            "url": "https://files.pythonhosted.org/packages/1e/15/5f1e5aafc1d6accdf0c870607c04fae462073d6fe30f582f5f60c5ae2aa2/ec2userkeyd-0.5.0.tar.gz"
        }
    ]
}