OpenSSLで作った自己署名証明書でIAM Roles Anywhereを使ってみた
OpenSSLのプライベート認証局の出番では?
こんにちは、のんピ(@non____97)です。
皆さんはIAM Roles Anywhereを使いたいなと思ったことはありますか? 私はあります。
先人が既にアクセスキーを発行せずにAWS CLIを叩けることを検証しています。
せっかくなので、OpenSSLで作った自己署名証明書でもIAM Roles Anywhereを使えるのか検証してみます。
いきなりまとめ
- OpenSSLで作った自己署名証明書でもIAM Roles Anywhereは使える
- 証明書の秘密鍵はパスフレーズを解除しておく必要がある
- IAM Roles Anywhereで使用する証明書の要件はよく確認しよう
プライベート認証局の作成
/etc/pki/tls/openssl.cnfの編集
それでは、プライベート認証局の作成をします。
Amazon Linux 2には(というかRedHat 7系のOS)にはプライベート認証局を簡単に作成するスクリプトである/etc/pki/tls/misc/CA
が提供されています。
$ cat /etc/pki/tls/misc/CA #!/bin/sh # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes # things easier between now and when Eric is convinced to fix it :-) # # CA -newca ... will setup the right stuff # CA -newreq ... will generate a certificate request # CA -sign ... will sign the generated request and output # # At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what # you want/need ... I'll make even this a little cleaner later. # # # 12-Jan-96 tjh Added more things ... including CA -signcert which # converts a certificate to a request and then signs it. # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG # environment variable so this can be driven from # a script. # 25-Jul-96 eay Cleaned up filenames some more. # 11-Jun-96 eay Fixed a few filename missmatches. # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. # 18-Apr-96 tjh Original hacking # # Tim Hudson # [email protected] # # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored cp_pem() { infile=$1 outfile=$2 bound=$3 flag=0 exec <$infile; while read line; do if [ $flag -eq 1 ]; then echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null if [ $? -eq 0 ] ; then echo $line >>$outfile break else echo $line >>$outfile fi fi echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null if [ $? -eq 0 ]; then echo $line >$outfile flag=1 fi done } usage() { echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 } if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year CADAYS="-days 1095" # 3 years REQ="$OPENSSL req $SSLEAY_CONFIG" CA="$OPENSSL ca $SSLEAY_CONFIG" VERIFY="$OPENSSL verify" X509="$OPENSSL x509" PKCS12="openssl pkcs12" if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi CAKEY=./cakey.pem CAREQ=./careq.pem CACERT=./cacert.pem RET=0 while [ "$1" != "" ] ; do case $1 in -\?|-h|-help) usage exit 0 ;; -newcert) # create a certificate $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS RET=$? echo "Certificate is in newcert.pem, private key is in newkey.pem" ;; -newreq) # create a certificate request $REQ -new -keyout newkey.pem -out newreq.pem $DAYS RET=$? echo "Request is in newreq.pem, private key is in newkey.pem" ;; -newreq-nodes) # create a certificate request $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS RET=$? echo "Request (and private key) is in newreq.pem" ;; -newca) # if explicitly asked for or it doesn't exist then setup the directory # structure that Eric likes to manage things NEW="1" if [ "$NEW" -o ! -f ${CATOP}/serial ]; then # create the directory hierarchy mkdir -p ${CATOP} mkdir -p ${CATOP}/certs mkdir -p ${CATOP}/crl mkdir -p ${CATOP}/newcerts mkdir -p ${CATOP}/private touch ${CATOP}/index.txt fi if [ ! -f ${CATOP}/private/$CAKEY ]; then echo "CA certificate filename (or enter to create)" read FILE # ask user for existing CA certificate if [ "$FILE" ]; then cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE RET=$? if [ ! -f "${CATOP}/serial" ]; then $X509 -in ${CATOP}/$CACERT -noout -next_serial \ -out ${CATOP}/serial fi else echo "Making CA certificate ..." $REQ -new -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CAREQ $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ -keyfile ${CATOP}/private/$CAKEY -selfsign \ -extensions v3_ca \ -infiles ${CATOP}/$CAREQ RET=$? fi fi ;; -xsign) $CA -policy policy_anything -infiles newreq.pem RET=$? ;; -pkcs12) if [ -z "$2" ] ; then CNAME="My Certificate" else CNAME="$2" fi $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ -out newcert.p12 -export -name "$CNAME" RET=$? exit $RET ;; -sign|-signreq) $CA -policy policy_anything -out newcert.pem -infiles newreq.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; -signCA) $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem RET=$? echo "Signed CA certificate is in newcert.pem" ;; -signcert) echo "Cert passphrase will be requested twice - bug?" $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem $CA -policy policy_anything -out newcert.pem -infiles tmp.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; -verify) shift if [ -z "$1" ]; then $VERIFY -CAfile $CATOP/$CACERT newcert.pem RET=$? else for j do $VERIFY -CAfile $CATOP/$CACERT $j if [ $? != 0 ]; then RET=$? fi done fi exit $RET ;; *) echo "Unknown arg $i" >&2 usage exit 1 ;; esac shift done exit $RET
こちらのスクリプトで認証局を作成したり、CSRの生成や証明書を発行することができます。
デフォルトではこちらのスクリプトはOpenSSLの設定ファイル/etc/pki/tls/openssl.cnf
を参照しています。
IAM Roles Anywhereの信頼アンカーとして使用される証明書には以下のような要件があります。
Certificates used as trust anchors must satisfy the same requirements for signature algorithm, but with the following differences:
- The key usage must include
Digital Signature
,Certificate Sign
, andCRL Sign
.- Basic constraints must include
CA: true
.Trust model in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere
デフォルトの/etc/pki/tls/openssl.cnf
のv3_ca
はkeyUsage
にDigital Signature
が含まれていません。
$ cat /etc/pki/tls/openssl.cnf . . (中略) . . [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF
Digital Signature
が含まれていないプライベート認証局の証明書を信頼アンカーに登録しようとしてもIncorrect basic constraints for CA certificate
とエラーになってしまいます。
そのため、/etc/pki/tls/openssl.cnf
のv3_ca
のkeyUsage
を編集してあげます。
# /etc/pki/tls/openssl.cnf の編集 $ sudo vi /etc/pki/tls/openssl.cnf # 編集内容の確認 $ cat /etc/pki/tls/openssl.cnf . . (中略) . . [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = cRLSign, keyCertSign, digitalSignature # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF
プライベート認証局の作成
それではプライベート認証局を作成します。
$ sudo /etc/pki/tls/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ..............................................+++ ......................................................+++ writing new private key to '/etc/pki/CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-ca Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: c9:51:f2:e3:01:51:84:c2 Validity Not Before: Jul 12 02:28:00 2022 GMT Not After : Jul 11 02:28:00 2025 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Default Company Ltd commonName = iam-roles-anyware-ca X509v3 extensions: X509v3 Subject Key Identifier: A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 X509v3 Authority Key Identifier: keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign Certificate is to be certified until Jul 11 02:28:00 2025 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Key Usage
がDigital Signature, Certificate Sign, CRL Sign
と要件通りになっていますね。また、Basic Constraints
もCA:TRUE
になっています。
プライベート認証局の証明書ファイル/etc/pki/CA/cacert.pem
から証明書部分を抽出しておきます。
$ openssl x509 -in /etc/pki/CA/cacert.pem -----BEGIN CERTIFICATE----- MIIDlDCCAnygAwIBAgIJAMlR8uMBUYTCMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55 IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDIy . . (中略) . . EzpiIMsvi6j+EOAH/7344zYfqooylepZfnR9BIc/+fVnnYLXesOTlK8GmHsBQzj9 aFuLhsxXAkqXuYrMFFHYXX9Ri+hOX0sSXNS4FuyqVqtSBEmmPMfidCkGZ7HRw7hI 2oS2w2Pjdto= -----END CERTIFICATE-----
信頼アンカーの作成
次に信頼アンカーの作成です。
IAMのコンソールからロール
-管理
をクリックします。
信頼アンカーを作成する
をクリックします。
信頼アンカー名を入力します。認証期間(CA)ソースは外部証明書バンドル
を選択し、テキストエリアに事前に確認したプライベート認証局の証明書をペーストし、信頼アンカーを作成する
をクリックします。
信頼アンカーの一覧に追加されたことを確認します。
また、信頼アンカーのARNは後で使用するので控えておきます。
IAMロールの作成
次にIAM Roles Anywhereで使用するIAMロールを作成します。
作成するIAMロールの信頼されたエンティティは以下のようにIAM Roles Anywhereが引き受けられるようにする必要があります。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity", "sts:TagSession" ] } ] }
IAMポリシーはAmazonEC2ReadOnlyAccess
にしてみました。
プロファイルの作成
作成したIAMロールとIAM Roles Anywhereを関連づけるためにプロファイルを作成します。
プロファイルを作成
をクリックします。
プロファイル名の入力と先ほど作成したIAMロールの選択をします。セッションポリシーは変更せずにプロファイルを作成
をクリックします。
プロファイルの一覧に追加されたことを確認します。
プロファイルのARNも後で使用するので控えておきます。
証明書の発行
CSRの生成
IAM Roles Anywhereのエンドエンティティ証明書の発行をします。
証明書発行のためにCSRを生成します。
$ sudo /etc/pki/tls/misc/CA -newreq Generating a 2048 bit RSA private key ................+++ ..+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-instance Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
CSRが生成されました。
$ ls -l newreq.pem -rw-r--r-- 1 root root 1025 Jul 12 02:55 newreq.pem $ cat newreq.pem -----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRUwEwYD VQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQx IzAhBgNVBAMMGmlhbS1yb2xlcy1hbnl3YXJlLWluc3RhbmNlMIIBIjANBgkqhkiG . . (中略) . . 3HYGFwUKaAMuaP5zytSodJz1iGP9RSIsYLGteExwozdwXoXDXD9FPbeC1EWEHtSY iVjhmgmFUkyT78AoTMTXR5dO0sD6NB8eg4Z+vnuWNrGf/8mvQoqib8fkUyA5DVt4 sHtz1uesOimEoP/eVX7vkRDlsLpn2XN+1HWQvoe+VVAL9/6rIcyPe9xVIKIebxKY 54efl9z3gwPk9bFJkWmSZeqEXOF31fj9sk84imHqcJg= -----END CERTIFICATE REQUEST-----
また、秘密鍵も生成されています。BEGIN ENCRYPTED PRIVATE KEY
なのでパスフレーズは設定されたままです。
$ ls -l newkey.pem -rw-r--r-- 1 root root 1834 Jul 12 02:55 newkey.pem $ cat newkey.pem -----BEGIN ENCRYPTED PRIVATE KEY----- . . (中略) . . -----END ENCRYPTED PRIVATE KEY-----
証明書の発行
それでは証明書を発行します。
$ sudo /etc/pki/tls/misc/CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: c9:51:f2:e3:01:51:84:c3 Validity Not Before: Jul 12 03:01:40 2022 GMT Not After : Jul 12 03:01:40 2023 GMT Subject: countryName = JP stateOrProvinceName = Tokyo localityName = Default City organizationName = Default Company Ltd commonName = iam-roles-anyware-instance X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF X509v3 Authority Key Identifier: keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 Certificate is to be certified until Jul 12 03:01:40 2023 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: c9:51:f2:e3:01:51:84:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca Validity Not Before: Jul 12 03:01:40 2022 GMT Not After : Jul 12 03:01:40 2023 GMT Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bb:32:bc:de:5e:a8:58:f4:c2:e4:8e:e7:d4:72: dc:5a:b7:f2:e6:62:44:83:76:d8:15:8a:12:da:ee: a0:72:73:05:2b:4f:bd:89:e8:bf:a7:8d:e5:27:20: 2b:b2:33:72:45:01:b2:ca:15:38:4d:47:10:ab:84: 05:a0:b9:ef:b5:11:2b:6b:be:ac:28:2f:83:35:36: 9d:98:f7:9d:53:59:b5:b3:3c:3e:22:ec:b5:20:75: 5e:b9:46:c9:5d:66:95:e3:0b:1b:33:92:0b:81:ba: 68:d4:03:98:bc:b1:69:d1:d6:6a:21:93:37:84:51: 91:89:e7:12:e6:ea:74:05:8c:1c:f1:19:07:8c:75: 39:c5:09:e6:08:e4:21:72:ed:ac:5a:4c:0a:5d:a1: ad:6e:b3:20:46:fd:c9:3f:c9:96:9d:0c:ec:ba:f3: 1c:99:dd:e8:d0:14:fe:71:5d:57:1e:6b:22:ce:37: 6d:6b:fc:9f:3a:b9:ae:c5:f3:da:6b:e1:41:6e:2f: b5:bd:cb:0b:55:11:bb:03:1a:11:0c:bb:ef:c7:42: 3b:ce:fc:fe:6a:6c:2d:0c:15:56:dd:dd:ad:46:31: 79:8c:8f:b0:64:cc:40:d8:70:58:6a:be:a8:de:5c: db:c3:b1:1b:aa:14:ec:97:df:16:76:6d:db:df:ec: a2:61 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF X509v3 Authority Key Identifier: keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 Signature Algorithm: sha256WithRSAEncryption 8f:55:45:04:5f:32:bd:94:c1:b6:03:e2:95:ef:07:8e:77:c0: 03:72:87:93:60:00:5c:b9:12:3a:cd:19:78:3b:4e:89:24:9e: dd:46:b4:b8:3a:2a:40:ca:fc:5a:59:6b:1b:f6:8d:eb:6e:5e: 86:a0:0f:b9:2e:09:4e:00:24:7d:55:5e:58:88:43:b3:b5:b1: 5c:e6:8d:ee:d2:d6:16:95:2f:75:34:ea:ac:fd:ec:82:88:12: 64:82:ba:0a:b0:34:0b:92:76:db:02:72:e5:26:98:d1:4b:dd: 3c:fb:bd:83:61:46:40:fb:27:ee:b0:ae:aa:6e:a7:07:b8:5e: 48:81:1f:12:9e:4e:39:78:4d:f4:71:91:72:c8:c4:b5:1a:b0: 8c:2d:51:d8:bc:92:0b:d6:2c:3f:27:2a:eb:e6:af:2f:f5:1a: 75:12:5c:80:cf:98:57:d5:11:05:c2:62:63:c2:52:fb:72:3e: c9:9e:c8:ba:02:51:92:7d:9d:3c:16:80:48:c2:a4:05:77:23: 07:b4:0c:a5:57:04:62:63:41:6e:88:ed:2c:6a:9c:32:16:eb: c0:4d:cb:82:e6:41:4c:4f:d9:76:7f:d0:2c:f6:14:4d:13:2d: e1:90:29:c8:8e:56:b2:8f:6e:56:c4:08:2a:ab:db:37:92:a8: 48:57:f1:63 -----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgIJAMlR8uMBUYTDMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55 IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDMw . . (中略) . . CrA0C5J22wJy5SaY0UvdPPu9g2FGQPsn7rCuqm6nB7heSIEfEp5OOXhN9HGRcsjE tRqwjC1R2LySC9YsPycq6+avL/UadRJcgM+YV9URBcJiY8JS+3I+yZ7IugJRkn2d PBaASMKkBXcjB7QMpVcEYmNBbojtLGqcMhbrwE3LguZBTE/Zdn/QLPYUTRMt4ZAp yI5Wso9uVsQIKqvbN5KoSFfxYw== -----END CERTIFICATE----- Signed certificate is in newcert.pem
証明書のファイルが作成されたことを確認します。
$ ls -l newcert.pem -rw-r--r-- 1 root root 4553 Jul 12 03:01 newcert.pem $ cat newcert.pem Certificate: Data: Version: 3 (0x2) Serial Number: c9:51:f2:e3:01:51:84:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca Validity Not Before: Jul 12 03:01:40 2022 GMT Not After : Jul 12 03:01:40 2023 GMT Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bb:32:bc:de:5e:a8:58:f4:c2:e4:8e:e7:d4:72: dc:5a:b7:f2:e6:62:44:83:76:d8:15:8a:12:da:ee: a0:72:73:05:2b:4f:bd:89:e8:bf:a7:8d:e5:27:20: 2b:b2:33:72:45:01:b2:ca:15:38:4d:47:10:ab:84: 05:a0:b9:ef:b5:11:2b:6b:be:ac:28:2f:83:35:36: 9d:98:f7:9d:53:59:b5:b3:3c:3e:22:ec:b5:20:75: 5e:b9:46:c9:5d:66:95:e3:0b:1b:33:92:0b:81:ba: 68:d4:03:98:bc:b1:69:d1:d6:6a:21:93:37:84:51: 91:89:e7:12:e6:ea:74:05:8c:1c:f1:19:07:8c:75: 39:c5:09:e6:08:e4:21:72:ed:ac:5a:4c:0a:5d:a1: ad:6e:b3:20:46:fd:c9:3f:c9:96:9d:0c:ec:ba:f3: 1c:99:dd:e8:d0:14:fe:71:5d:57:1e:6b:22:ce:37: 6d:6b:fc:9f:3a:b9:ae:c5:f3:da:6b:e1:41:6e:2f: b5:bd:cb:0b:55:11:bb:03:1a:11:0c:bb:ef:c7:42: 3b:ce:fc:fe:6a:6c:2d:0c:15:56:dd:dd:ad:46:31: 79:8c:8f:b0:64:cc:40:d8:70:58:6a:be:a8:de:5c: db:c3:b1:1b:aa:14:ec:97:df:16:76:6d:db:df:ec: a2:61 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF X509v3 Authority Key Identifier: keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 Signature Algorithm: sha256WithRSAEncryption 8f:55:45:04:5f:32:bd:94:c1:b6:03:e2:95:ef:07:8e:77:c0: 03:72:87:93:60:00:5c:b9:12:3a:cd:19:78:3b:4e:89:24:9e: dd:46:b4:b8:3a:2a:40:ca:fc:5a:59:6b:1b:f6:8d:eb:6e:5e: 86:a0:0f:b9:2e:09:4e:00:24:7d:55:5e:58:88:43:b3:b5:b1: 5c:e6:8d:ee:d2:d6:16:95:2f:75:34:ea:ac:fd:ec:82:88:12: 64:82:ba:0a:b0:34:0b:92:76:db:02:72:e5:26:98:d1:4b:dd: 3c:fb:bd:83:61:46:40:fb:27:ee:b0:ae:aa:6e:a7:07:b8:5e: 48:81:1f:12:9e:4e:39:78:4d:f4:71:91:72:c8:c4:b5:1a:b0: 8c:2d:51:d8:bc:92:0b:d6:2c:3f:27:2a:eb:e6:af:2f:f5:1a: 75:12:5c:80:cf:98:57:d5:11:05:c2:62:63:c2:52:fb:72:3e: c9:9e:c8:ba:02:51:92:7d:9d:3c:16:80:48:c2:a4:05:77:23: 07:b4:0c:a5:57:04:62:63:41:6e:88:ed:2c:6a:9c:32:16:eb: c0:4d:cb:82:e6:41:4c:4f:d9:76:7f:d0:2c:f6:14:4d:13:2d: e1:90:29:c8:8e:56:b2:8f:6e:56:c4:08:2a:ab:db:37:92:a8: 48:57:f1:63 -----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgIJAMlR8uMBUYTDMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55 IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDMw . . (中略) . . CrA0C5J22wJy5SaY0UvdPPu9g2FGQPsn7rCuqm6nB7heSIEfEp5OOXhN9HGRcsjE tRqwjC1R2LySC9YsPycq6+avL/UadRJcgM+YV9URBcJiY8JS+3I+yZ7IugJRkn2d PBaASMKkBXcjB7QMpVcEYmNBbojtLGqcMhbrwE3LguZBTE/Zdn/QLPYUTRMt4ZAp yI5Wso9uVsQIKqvbN5KoSFfxYw== -----END CERTIFICATE-----
動作確認 (1回目)
クレデンシャルヘルパーツールのダウンロード
それでは、動作確認です。
まず、クレデンシャルヘルパーツールをダウンロードして、実行権限を与えます。
# クレデンシャルヘルパーツールをダウンロード $ sudo curl https://s3.amazonaws.com/roles-anywhere-credential-helper/CredentialHelper/latest/linux_amd64/aws_signing_helper --output aws_signing_helper % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 12.6M 100 12.6M 0 0 86.5M 0 --:--:-- --:--:-- --:--:-- 86.6M # クレデンシャルヘルパーツールの権限確認 $ ls -l aws_signing_helper -rw-r--r-- 1 root root 13266672 Jul 12 03:04 aws_signing_helper # クレデンシャルヘルパーツールに実行権限を追加 $ sudo chmod +x aws_signing_helper # 権限の確認 $ ls -l aws_signing_helper -rwxr-xr-x 1 root root 13266672 Jul 12 03:04 aws_signing_helper
動作確認 (1回目)
クレデンシャルヘルパーツールを実行してみます。
$ ./aws_signing_helper credential-process \ --certificate ./newcert.pem \ --private-key ./newkey.pem \ --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \ --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \ --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role 2022/07/12 03:09:48 unable to parse private key
unable to parse private key
とエラーが出力されてしまいました。
試しに証明書の秘密鍵のパスフレーズを解除してからリトライします。
# 秘密鍵のパスフレーズを解除 $ sudo openssl rsa -in newkey.pem -out cert.key Enter pass phrase for newkey.pem: writing RSA key # 秘密鍵のパスフレーズが解除されたことを確認 $ cat cert.key -----BEGIN RSA PRIVATE KEY----- . . (中略) . . -----END RSA PRIVATE KEY----- # リトライ $ ./aws_signing_helper credential-process \ --certificate ./newcert.pem \ --private-key ./cert.key \ --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \ --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \ --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role 2022/07/12 03:12:42 AccessDeniedException: Untrusted certificate. Insufficient certificate
秘密鍵のパースエラーは解消されましたが、Untrusted certificate. Insufficient certificate
とエラーになってしまいました。
よくよくドキュメントを確認すると、エンドエンティティ証明書も要件がありました。
End entity certificates must satisfy the following constraints to be used for authentication:
- The certificates must be X.509v3.
- Basic constraints must include
CA: false
.- The key usage must include
Digital Signature
.- The signing algorithm must include
SHA256
or stronger.MD5
andSHA1
signing algorithms are rejected.Trust model in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere
発行された証明書と比較すると、key Usage
にDigital Signature
が含まれていません。
ということで、証明書の再発行をします。
証明書の再発行
古い証明書の無効化
Subjectが重複する証明書を発行する場合、以下のようなエラーが出力されてしまいます。
failed to update database TXT_DB error number 2
そのため、証明書を再発行するにあたって、古い証明書を無効化しておきます。
# 証明書のデータベースファイルを確認 $ cat /etc/pki/CA/index.txt V 250711022800Z C951F2E3015184C2 unknown /C=JP/ST=Tokyo/O=Default Company Ltd/CN=iam-roles-anyware-ca V 230712030140Z C951F2E3015184C3 unknown /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=iam-roles-anyware-instance # 不要な証明書を無効化 $ sudo openssl ca -revoke /etc/pki/CA/newcerts/C951F2E3015184C3.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate C951F2E3015184C3. Data Base Updated # 不要な証明書が無効化されたことを確認 $ cat /etc/pki/CA/index.txt V 250711022800Z C951F2E3015184C2 unknown /C=JP/ST=Tokyo/O=Default Company Ltd/CN=iam-roles-anyware-ca R 230712030140Z 220712043755Z C951F2E3015184C3 unknown /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=iam-roles-anyware-instance
本来であれば証明書を無効化した後CRLを作成するところですが、伝える相手もいないのでCRLは作成しません。
/etc/pki/tls/openssl.cnfの編集
CSRの再生成前に/etc/pki/tls/openssl.cnf
を編集します。
# /etc/pki/tls/openssl.cnf の編集 $ sudo vi /etc/pki/tls/openssl.cnf # 編集内容の確認 $ cat /etc/pki/tls/openssl.cnf . . (中略) . . [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping
CSRの再生成
CSRの再生成をします。
$ sudo /etc/pki/tls/misc/CA -newreq Generating a 2048 bit RSA private key ...........................................................................................+++ ................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-instance Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
CSRと一緒に生成された秘密鍵のパスフレーズを解除しておきます。
$ sudo openssl rsa -in newkey.pem -out cert.key Enter pass phrase for newkey.pem: writing RSA key
証明書の発行
証明書を再発行します。
$ sudo /etc/pki/tls/misc/CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: c9:51:f2:e3:01:51:84:c5 Validity Not Before: Jul 12 04:58:36 2022 GMT Not After : Jul 12 04:58:36 2023 GMT Subject: countryName = JP stateOrProvinceName = Tokyo localityName = Default City organizationName = Default Company Ltd commonName = iam-roles-anyware-instance X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F4:8B:BB:60:C2:33:AA:58:8B:81:E8:00:C2:EE:36:D2:C2:7D:34:1C X509v3 Authority Key Identifier: keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 Certificate is to be certified until Jul 12 04:58:36 2023 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: c9:51:f2:e3:01:51:84:c5 Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca Validity Not Before: Jul 12 04:58:36 2022 GMT Not After : Jul 12 04:58:36 2023 GMT Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:03:cf:d6:3a:20:f6:ad:74:72:d5:3a:fb:bc: bd:d6:4b:98:f7:2e:11:6e:79:ff:91:83:52:8d:31: e0:c7:0f:75:16:63:26:c9:8f:00:96:44:2b:23:e1: 81:eb:11:e2:38:b2:f6:36:56:63:2f:57:75:b3:91: 3a:5e:cc:2c:e1:68:f5:de:8a:9d:53:45:e9:8a:38: ef:45:d5:39:b9:ea:79:6a:01:ce:0a:75:91:84:84: 3e:98:c6:10:14:9b:3d:1e:79:3d:ea:dc:cb:81:7e: 80:51:2d:bc:0b:32:ad:cc:b3:e6:0a:a8:06:83:1d: 4a:a6:18:1b:c9:c9:fb:57:cc:0e:bd:98:53:6b:c0: 84:7c:60:5d:5c:f9:46:91:88:40:c1:49:4a:fb:2e: ba:9c:14:a4:66:c4:97:44:28:57:17:de:30:58:71: a0:10:5d:18:7f:3d:28:9f:a7:36:c7:0c:8b:39:2e: c2:71:e7:46:0d:21:f8:1b:83:38:d9:24:f5:0c:fe: 35:c5:17:8c:72:b7:a4:70:13:e6:7e:36:a5:f3:53: 17:5f:6e:64:06:26:8f:a8:8d:8d:47:9d:d4:52:79: 12:e9:67:05:d3:a8:91:11:29:28:bc:42:41:54:ca: a1:4c:b5:8c:9d:47:f1:ba:a1:72:81:b6:4c:68:ca: d0:ff Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F4:8B:BB:60:C2:33:AA:58:8B:81:E8:00:C2:EE:36:D2:C2:7D:34:1C X509v3 Authority Key Identifier: keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5 Signature Algorithm: sha256WithRSAEncryption 99:58:e3:f2:1c:2d:51:ee:4d:94:35:97:91:ba:70:c7:16:72: f6:d4:49:08:62:ca:7e:27:68:d8:f0:1a:07:58:e0:b8:f2:5a: d5:11:0c:85:e4:e9:dc:1d:55:f6:5f:7a:8a:9c:3c:26:ba:18: fa:83:84:c8:6a:fb:14:08:a2:bc:74:e1:e5:4c:a1:60:59:b3: da:73:81:9f:2b:a0:15:90:a8:f5:5c:58:9d:38:c1:49:a7:ef: ea:29:f3:22:a8:e6:9b:2c:f6:25:b3:8a:a5:d3:bb:ba:67:a3: f8:70:be:f6:22:90:4e:9e:7a:8b:17:04:b3:2f:b3:33:ca:b9: 66:1b:75:84:60:62:70:a8:60:3b:d3:d9:90:dc:8f:6a:53:7d: e6:e5:0c:b8:59:11:68:dc:81:98:91:1e:7f:09:44:a9:7b:47: 49:47:66:cf:6f:67:18:24:b5:39:93:09:f7:15:c0:92:89:a2: db:0d:7c:90:4f:ad:df:d3:48:cd:e4:aa:5d:6f:f2:96:2f:d7: 50:15:54:2c:24:d7:c6:50:2c:28:c9:33:ff:b9:84:fa:37:8f: 67:7c:7a:aa:2b:30:08:bd:4f:d6:ff:87:15:8d:33:d9:da:48: 87:59:bd:d1:c5:6f:26:79:44:e5:3c:e5:53:a9:fc:f9:90:4d: 45:e7:2c:14 -----BEGIN CERTIFICATE----- MIID3jCCAsagAwIBAgIJAMlR8uMBUYTFMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55 IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDQ1 . . (中略) . . FZCo9VxYnTjBSafv6inzIqjmmyz2JbOKpdO7umej+HC+9iKQTp56ixcEsy+zM8q5 Zht1hGBicKhgO9PZkNyPalN95uUMuFkRaNyBmJEefwlEqXtHSUdmz29nGCS1OZMJ 9xXAkomi2w18kE+t39NIzeSqXW/yli/XUBVULCTXxlAsKMkz/7mE+jePZ3x6qisw CL1P1v+HFY0z2dpIh1m90cVvJnlE5TzlU6n8+ZBNRecsFA== -----END CERTIFICATE----- Signed certificate is in newcert.pem
Key Usage
にDigital Signature
がある証明書が発行されました。
動作確認 (2回目)
2回目の動作確認です。
クレデンシャルヘルパーツールを実行してみます。
$ ./aws_signing_helper credential-process \ --certificate ./newcert.pem \ --private-key ./cert.key \ --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \ --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \ --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role {"Version":1,"AccessKeyId":"ASIA6KUFAVPU6PW4NEHS","SecretAccessKey":"1+Ax0yFTo0+c/WUtBOd6sC4TTOV6QNiLUaNm59He","SessionToken":"IQoJb3JpZ2luX2VjEB0aCXVzLWVhc3QtMSJIMEYCIQDMwkOKlkquq+puUTw2sxRpuJG71UcOdk+eViQ7ueQI0gIhAP8tsyzxtbTkMMREe6Tegxt1a5a4s/qMDbF0bn1i7SuDKpEFCFYQAhoMOTg0OTAwMjE3ODMzIgykrFsEExDiGXIlHIwq7gTy+epUoCvuw8MUmT0JSz+60XN5Yo4Gex6zS0zdWoCIZHVpMKy8K024tgxMSfu14TiCqD+klrwEbX+LvMwhpD7Z79KQGCVcJjM9DRzxc+ZSSoSaAhEspyX9GVfPr8jXJk4BQx/joapqhZmSX00oPurwD9aazi54ni3vBg83RH1BEnIfjE3Yn4wk8vo3DNls4KX/s4GZBWIqW8oqQY+EakEtWrm1jqh78G13t81iCsH8A14vZnSwzSiQUkTH0nfnvcKBUHSelMjeRTuVqur/+oF46gWb5mufHX8C1MyIPKp6ogRvwp5Jp66eSDjmtA17Ee8Qb7HkStL8JYijKDNjh3cFGV/ryXUiPx9mlh0jkpzo5INkPuk2f6wpVuLzx4I7YvlL7b6sgCJnEH0HEaGPgtGFsxRDc2jV2x7JTvtrDRfdQAIUpN7IC2RuaEwfqmq/Glui+LZp/bdQnve1IQxrn2G8Fg7nTPH8cUqSFhVdUNebZOBih4p/0zO/cYYSpJhBotV1lVVJ1BOsN6Hj6pIgyppNX0am4vP8+y5VXtp06WdY5EmCIprNYRse/UEqGzeWeu5iA1R0jZbSxeOeQwNbmYXlDeMNH4b9PHlxAr7sH5WRi5QpzeHmiw60KodJuaqAdA5BJLzNqm2IuawY/J6zg0N04Fps0mk1saBfmTpw/M3f2Gy46KE3n3qGeKpjV2I1VkaujGB1GYwk+V/1p48VI0LtnxxV9esItMCMw+1aLY3dgIddy4P+9bo5VJE3n5N5eS2vjK3Edrj6rJhd0td+tzTLZ/0bBmDKmnfmc79f7mZjWWXGYB/3Hb1g9Ro8VpwiMNf/s5YGOsIB1GN2GSMSvrnaOSKmlFGKKT/G/9KVIQhsJwqYZbXtQVmhK76JM7O1kupo1wZR9W55W4E8Es8TQnX0NkXqBSB9FcsaqioOGPmA11BuahQRd57f0+4Fe0UDn9N7gvHis3aayV+eKCR8QEiqBui09GnSrsuknxRUf3Nb3MpcYOkCjNnDToGg3B17KztrVQ4wGLaEh1yeoq5Sv6AK8eWbeyR6dyocfDlDV7NRGhdexCf0R5f7p4SrcyJElk8jDjoV/GNDcNo=","Expiration":"2022-07-12T06:00:07Z"}
アクセスキー、シークレットアクセスキー、セッショントークンが出力されました。
出力された値を環境変数に入れて、AWS CLIを叩いてみます。
# 認証情報を環境変数に追加 $ export AWS_ACCESS_KEY_ID=ASIA6KUFAVPU6PW4NEHS $ export AWS_SECRET_ACCESS_KEY=1+Ax0yFTo0+c/WUtBOd6sC4TTOV6QNiLUaNm59He $ export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEB0aCXVzLWVhc3QtMSJIMEYCIQDMwkOKlkquq+puUTw2sxRpuJG71UcOdk+eViQ7ueQI0gIhAP8tsyzxtbTkMMREe6Tegxt1a5a4s/qMDbF0bn1i7SuDKpEFCFYQAhoMOTg0OTAwMjE3ODMzIgykrFsEExDiGXIlHIwq7gTy+epUoCvuw8MUmT0JSz+60XN5Yo4Gex6zS0zdWoCIZHVpMKy8K024tgxMSfu14TiCqD+klrwEbX+LvMwhpD7Z79KQGCVcJjM9DRzxc+ZSSoSaAhEspyX9GVfPr8jXJk4BQx/joapqhZmSX00oPurwD9aazi54ni3vBg83RH1BEnIfjE3Yn4wk8vo3DNls4KX/s4GZBWIqW8oqQY+EakEtWrm1jqh78G13t81iCsH8A14vZnSwzSiQUkTH0nfnvcKBUHSelMjeRTuVqur/+oF46gWb5mufHX8C1MyIPKp6ogRvwp5Jp66eSDjmtA17Ee8Qb7HkStL8JYijKDNjh3cFGV/ryXUiPx9mlh0jkpzo5INkPuk2f6wpVuLzx4I7YvlL7b6sgCJnEH0HEaGPgtGFsxRDc2jV2x7JTvtrDRfdQAIUpN7IC2RuaEwfqmq/Glui+LZp/bdQnve1IQxrn2G8Fg7nTPH8cUqSFhVdUNebZOBih4p/0zO/cYYSpJhBotV1lVVJ1BOsN6Hj6pIgyppNX0am4vP8+y5VXtp06WdY5EmCIprNYRse/UEqGzeWeu5iA1R0jZbSxeOeQwNbmYXlDeMNH4b9PHlxAr7sH5WRi5QpzeHmiw60KodJuaqAdA5BJLzNqm2IuawY/J6zg0N04Fps0mk1saBfmTpw/M3f2Gy46KE3n3qGeKpjV2I1VkaujGB1GYwk+V/1p48VI0LtnxxV9esItMCMw+1aLY3dgIddy4P+9bo5VJE3n5N5eS2vjK3Edrj6rJhd0td+tzTLZ/0bBmDKmnfmc79f7mZjWWXGYB/3Hb1g9Ro8VpwiMNf/s5YGOsIB1GN2GSMSvrnaOSKmlFGKKT/G/9KVIQhsJwqYZbXtQVmhK76JM7O1kupo1wZR9W55W4E8Es8TQnX0NkXqBSB9FcsaqioOGPmA11BuahQRd57f0+4Fe0UDn9N7gvHis3aayV+eKCR8QEiqBui09GnSrsuknxRUf3Nb3MpcYOkCjNnDToGg3B17KztrVQ4wGLaEh1yeoq5Sv6AK8eWbeyR6dyocfDlDV7NRGhdexCf0R5f7p4SrcyJElk8jDjoV/GNDcNo= # EC2インスタンスの情報をAWS CLIで確認 $ aws ec2 describe-instances \ --instance-ids i-0fd11c3a1398908bb \ --region us-east-1 { "Reservations": [ { "Instances": [ { "Monitoring": { "State": "disabled" }, "PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com", "State": { "Code": 16, "Name": "running" }, "EbsOptimized": true, "LaunchTime": "2022-07-12T02:19:53.000Z", "PublicIpAddress": "3.235.121.71", "PrivateIpAddress": "172.31.14.187", "ProductCodes": [], "VpcId": "vpc-0e0796981cea634c1", "CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 2 }, "StateTransitionReason": "", "InstanceId": "i-0fd11c3a1398908bb", "EnaSupport": true, "ImageId": "ami-0cff7528ff583bf9a", "PrivateDnsName": "ip-172-31-14-187.ec2.internal", "KeyName": "xxxxx", "SecurityGroups": [ { "GroupName": "default", "GroupId": "sg-09833fa43dc030900" } ], "ClientToken": "", "SubnetId": "subnet-0355def964cb72d89", "InstanceType": "t3.micro", "CapacityReservationSpecification": { "CapacityReservationPreference": "open" }, "NetworkInterfaces": [ { "Status": "in-use", "MacAddress": "02:b9:5a:24:d9:17", "SourceDestCheck": true, "VpcId": "vpc-0e0796981cea634c1", "Description": "", "NetworkInterfaceId": "eni-0f74de6b95007f850", "PrivateIpAddresses": [ { "PrivateDnsName": "ip-172-31-14-187.ec2.internal", "PrivateIpAddress": "172.31.14.187", "Primary": true, "Association": { "PublicIp": "3.235.121.71", "PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com", "IpOwnerId": "amazon" } } ], "PrivateDnsName": "ip-172-31-14-187.ec2.internal", "InterfaceType": "interface", "Attachment": { "Status": "attached", "DeviceIndex": 0, "DeleteOnTermination": true, "AttachmentId": "eni-attach-055395aa5ba0c57bc", "AttachTime": "2022-07-12T02:19:53.000Z" }, "Groups": [ { "GroupName": "default", "GroupId": "sg-09833fa43dc030900" } ], "Ipv6Addresses": [], "OwnerId": "<AWSアカウントID>", "PrivateIpAddress": "172.31.14.187", "SubnetId": "subnet-0355def964cb72d89", "Association": { "PublicIp": "3.235.121.71", "PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com", "IpOwnerId": "amazon" } } ], "SourceDestCheck": true, "Placement": { "Tenancy": "default", "GroupName": "", "AvailabilityZone": "us-east-1b" }, "Hypervisor": "xen", "InstanceLifecycle": "spot", "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "Status": "attached", "DeleteOnTermination": true, "VolumeId": "vol-0b0d9d6737487a8cf", "AttachTime": "2022-07-12T02:19:54.000Z" } } ], "Architecture": "x86_64", "RootDeviceType": "ebs", "IamInstanceProfile": { "Id": "AIPA6KUFAVPU6UWS3OMTH", "Arn": "arn:aws:iam::<AWSアカウントID>:instance-profile/AmazonSSMRoleForInstancesQuickSetup" }, "RootDeviceName": "/dev/xvda", "VirtualizationType": "hvm", "Tags": [ { "Value": "ca", "Key": "Name" } ], "SpotInstanceRequestId": "sir-abredmeg", "HibernationOptions": { "Configured": false }, "MetadataOptions": { "State": "applied", "HttpEndpoint": "enabled", "HttpTokens": "optional", "HttpPutResponseHopLimit": 1 }, "AmiLaunchIndex": 0 } ], "ReservationId": "r-0433f26b704769217", "Groups": [], "OwnerId": "<AWSアカウントID>" } ] }
EC2インスタンスの情報をAWS CLIで確認できました。
クレデンシャルヘルパーツールのコマンドを~/.aws/config
に登録してAWS CLIを叩けるかも確認します。
事前に認証情報の環境変数はクリアしておきます。
# 環境変数をクリア $ unset AWS_ACCESS_KEY_ID $ unset AWS_SECRET_ACCESS_KEY $ unset AWS_SESSION_TOKEN # 環境変数がクリアされたことを確認 $ echo $AWS_ACCESS_KEY_ID $ echo $AWS_SECRET_ACCESS_KEY $ echo $AWS_SESSION_TOKEN
クレデンシャルヘルパーツールのコマンドを~/.aws/config
に登録します。
# ディレクトリの作成 $ mkdir ~/.aws # ~/.aws/config の作成 $ vi ~/.aws/config # ~/.aws/config の内容の確認 $ cat ~/.aws/config [default] credential_process = ./aws_signing_helper credential-process --certificate /usr/bin/newcert.pem --private-key /usr/bin/cert.key --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
~/.aws/credentials
がない状態でAssume Roleできることを確認します。
# ~/.aws/credentials がないことを確認 $ ls -l ~/.aws total 4 -rw-r--r-- 1 ssm-user ssm-user 431 Jul 12 05:44 config # Assume Roleできることを確認 $ aws sts get-caller-identity { "Account": "<AWSアカウントID>", "UserId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5", "Arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5" }
作成したiam-roles-anyware-role
にAssume Roleできることを確認できました。
CloudTrailで確認すると、以下のようにCreateSession
イベントが記録されていました。userAgent
がCredHelper/1.0.0 (go1.18.2; linux; amd64)
ということからクレデンシャルヘルパーツールからのアクセスであることが分かります。
{ "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "", "arn": "", "accountId": "<AWSアカウントID>", "accessKeyId": "", "userName": "" }, "eventTime": "2022-07-12T08:32:10Z", "eventSource": "rolesanywhere.amazonaws.com", "eventName": "CreateSession", "awsRegion": "us-east-1", "sourceIPAddress": "3.239.222.193", "userAgent": "CredHelper/1.0.0 (go1.18.2; linux; amd64)", "requestParameters": { "cert": "MIID3jCCAsagAwIBAgIJAMlR8uMBUYTFMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDQ1ODM2WhcNMjMwNzEyMDQ1ODM2WjB3MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEjMCEGA1UEAwwaaWFtLXJvbGVzLWFueXdhcmUtaW5zdGFuY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAA8/WOiD2rXRy1Tr7vL3WS5j3LhFuef+Rg1KNMeDHD3UWYybJjwCWRCsj4YHrEeI4svY2VmMvV3WzkTpezCzhaPXeip1TRemKOO9F1Tm56nlqAc4KdZGEhD6YxhAUmz0eeT3q3MuBfoBRLbwLMq3Ms+YKqAaDHUqmGBvJyftXzA69mFNrwIR8YF1c+UaRiEDBSUr7LrqcFKRmxJdEKFcX3jBYcaAQXRh/PSifpzbHDIs5LsJx50YNIfgbgzjZJPUM/jXFF4xyt6RwE+Z+NqXzUxdfbmQGJo+ojY1HndRSeRLpZwXTqJERKSi8QkFUyqFMtYydR/G6oXKBtkxoytD/AgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT0i7tgwjOqWIuB6ADC7jbSwn00HDAfBgNVHSMEGDAWgBShmmyFt7jbA14sP2fNHaJT4cMf1TANBgkqhkiG9w0BAQsFAAOCAQEAmVjj8hwtUe5NlDWXkbpwxxZy9tRJCGLKfido2PAaB1jguPJa1REMheTp3B1V9l96ipw8JroY+oOEyGr7FAiivHTh5UyhYFmz2nOBnyugFZCo9VxYnTjBSafv6inzIqjmmyz2JbOKpdO7umej+HC+9iKQTp56ixcEsy+zM8q5Zht1hGBicKhgO9PZkNyPalN95uUMuFkRaNyBmJEefwlEqXtHSUdmz29nGCS1OZMJ9xXAkomi2w18kE+t39NIzeSqXW/yli/XUBVULCTXxlAsKMkz/7mE+jePZ3x6qiswCL1P1v+HFY0z2dpIh1m90cVvJnlE5TzlU6n8+ZBNRecsFA==", "durationSeconds": 3600, "profileArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5", "roleArn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role", "trustAnchorArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e" }, "responseElements": { "credentialSet": [ { "assumedRoleUser": { "arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5", "assumedRoleId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5" }, "credentials": { "accessKeyId": "ASIA6KUFAVPUSIOVTSM4", "expiration": "2022-07-12T09:32:10Z", "secretAccessKey": "HIDDEN_DUE_TO_SECURITY_REASONS", "sessionToken": "IQoJb3JpZ2luX2VjECEaCXVzLWVhc3QtMSJHMEUCIEUVzaMKYcwu9hld36Zm/hmgMr8/W2Os7KfHqJDqcsZTAiEA+y/ryr+iLImuk1N2VF41dVBZ4ObodMA3DynqwJuONoEqkQUIWhACGgw5ODQ5MDAyMTc4MzMiDF1a7xxCpGKMc/qVMiruBC7yk02fdnn4wOSfsKAxKCobo4Uu2kkCbxnS14jrBQBglJhc8b6jMt3JXnyeTCu4r+NJF335VdESIhuEQKQXYhXTOKJER54NnI2OPnpDBvmXbVukeyQd4QNihfCMz+rJrvcxQJxu7a6yq95elhwCn1RTz7hXb2R5ucMKpb2jAlcMhSixEQtYHn1ux3qLZyCQNGfLAo85Nc3F/cMIsDouICwZg+6vZ9tcyzR+7D49KEDY3cfCEWRCs3woW90U6DcVZVbQLlKm0zenbQvda72paS6Or6PMBU5epyP4pD8ssCsMcFBR3K5ywU+plujRqgVt3ivtmK20cx8/9tVfl4YyI66P86O5OzJnQXFSlCtD+1TWDhJsUAecBLlgnRIB66Kg88soVAFtxH8skEZLIKPhWZ6dfwjGnx9h+SDzrgQtobAKya6YplsvbM5HfgJ7uITrbbMQOrSlqYYgcN31oXb6qVpbxS7wfwJ22deDMSIZc3OXU4c8YNAxsFPTIFIpVrf9Gyx2E45Eqf/KjUUIGkkJaCirltr+omz0RrHAFL2hTTQ9DeNpiYIsRDvu1CLcFuCicZ+18WbSAGZ7oNO4GDvzoaIQiFtlRhVNQbegLgmjho1n4cptXdzIs6XK7gNBD5JV+5ynAubpDiyZEGDD68aaBSWVEjqK0E5lE5EGg7fGIqo36iVbkxB/oyiJxowuDEOF3FUiVH2HC/Xoc+SWNjzCY9+w/6dR9N6hS9ACCAh875/ZhvT/mD9FU+09E7YtK/w9ox5ug3BbHJBG2Jrgvkm85EtSXsk/PjU30euBbHF1Rc4AeUTeAkFDYMbXfspsb3IwiuO0lgY6wwFgHyiDalmQQqy+lXFlT6wWDVMdfp7A3EaC/xcDOcj7CCl9D4TbXpM12OcMWMIoPMmMKL9EHn7bnz6HAmmMLDHtThmb8Z43S80wM3Ab+scHJBl6WbnPIGnDJKQ93KXhyisNQphmuOaOHDbsto78ekihygBLCcU3v6Lx9nENwtTcbWjq2cH7O24XixUx7pWZtM/hkUo40336uIxisDg8j3bM99X1dAdt07j+ytEG19BH1KUG7ENnrLhPD5onx/MpfjrfBwo=" }, "packedPolicySize": 55, "roleArn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role", "sourceIdentity": "CN=iam-roles-anyware-instance" } ], "subjectArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:subject/6334a30e-14fd-4fc5-9262-6e67267c42dc", "x509Subject": "C=JP,ST=Tokyo,L=Default City,O=Default Company Ltd,CN=iam-roles-anyware-instance" }, "requestID": "fae5107a-30ed-4216-af36-62baef51824c", "eventID": "7a0e47fd-07b8-47d8-9e21-c805a76e4d3e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "<AWSアカウントID>", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "rolesanywhere.us-east-1.amazonaws.com" } }
それでは、AWS CLIでEBSボリュームの情報を確認してみます。
$ aws ec2 describe-volumes \ --filters Name=attachment.instance-id,Values=i-0fd11c3a1398908bb \ --region us-east-1 { "Volumes": [ { "AvailabilityZone": "us-east-1b", "Attachments": [ { "AttachTime": "2022-07-12T02:19:54.000Z", "InstanceId": "i-0fd11c3a1398908bb", "VolumeId": "vol-0b0d9d6737487a8cf", "State": "attached", "DeleteOnTermination": true, "Device": "/dev/xvda" } ], "Encrypted": false, "VolumeType": "gp3", "VolumeId": "vol-0b0d9d6737487a8cf", "State": "in-use", "Iops": 3000, "SnapshotId": "snap-08f1069dfde2007ba", "CreateTime": "2022-07-12T02:19:54.234Z", "MultiAttachEnabled": false, "Size": 8 } ] }
確かに、AWS CLIでEBSボリュームの情報を確認できました。
CloudTrailで確認すると、以下のようにDescribeVolumes
イベントが記録されていました。invokedBy
がrolesanywhere.amazonaws.com
ということからIAM Roles Anywhereのプロファイルを使った操作であることが分かります。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5", "arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5", "accountId": "<AWSアカウントID>", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA6KUFAVPUU5M2Q3OWY", "arn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role", "accountId": "<AWSアカウントID>", "userName": "iam-roles-anyware-role" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-07-12T08:32:10Z", "mfaAuthenticated": "false" }, "sourceIdentity": "CN=iam-roles-anyware-instance" }, "invokedBy": "rolesanywhere.amazonaws.com" }, "eventTime": "2022-07-12T08:32:10Z", "eventSource": "ec2.amazonaws.com", "eventName": "DescribeVolumes", "awsRegion": "us-east-1", "sourceIPAddress": "rolesanywhere.amazonaws.com", "userAgent": "rolesanywhere.amazonaws.com", "requestParameters": { "volumeSet": {}, "filterSet": { "items": [ { "name": "attachment.instance-id", "valueSet": { "items": [ { "value": "i-0fd11c3a1398908bb" } ] } } ] } }, "responseElements": null, "requestID": "86bf8acb-d85c-4f9f-b412-971ff4e5f4db", "eventID": "6bb32c87-5f95-4a27-8565-6efc3b6b44f7", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "<AWSアカウントID>", "eventCategory": "Management" }
OpenSSLで作った自己署名証明書でもIAM Roles Anywhereは使える
OpenSSLで作った自己署名証明書でIAM Roles Anywhereを使ってみました。
証明書と秘密鍵さえあれば認証情報を入手できる、これぞIAM Roles Anywhereという感じで非常に面白かったです。
ちなみにIAM Roles Anywhereのプロファイルや信頼アンカーを削除すると、以下のようにエラーを出力するようになりました。
# プロファイルを削除した場合 $ aws sts get-caller-identity Error when retrieving credentials from custom-process: 2022/07/12 08:45:43 ResourceNotFoundException: Profile not found. # 信頼アンカーを削除した場合 $ aws sts get-caller-identity Error when retrieving credentials from custom-process: 2022/07/12 08:47:15 AccessDeniedException: Specified Trust Anchor wasn't found.
上述のようなエラーが出力された場合は、IAM Roles Anywhereの設定が不足している可能性があります。
この記事が誰かの助けになれば幸いです。
以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!