OpenSSLのプライベート認証局の出番では?
こんにちは、のんピ(@non____97)です。
皆さんはIAM Roles Anywhereを使いたいなと思ったことはありますか? 私はあります。
先人が既にアクセスキーを発行せずにAWS CLIを叩けることを検証しています。
せっかくなので、OpenSSLで作った自己署名証明書でもIAM Roles Anywhereを使えるのか検証してみます。
いきなりまとめ
- OpenSSLで作った自己署名証明書でもIAM Roles Anywhereは使える
- 証明書の秘密鍵はパスフレーズを解除しておく必要がある
- IAM Roles Anywhereで使用する証明書の要件はよく確認しよう
プライベート認証局の作成
/etc/pki/tls/openssl.cnfの編集
それでは、プライベート認証局の作成をします。
Amazon Linux 2には(というかRedHat 7系のOS)にはプライベート認証局を簡単に作成するスクリプトである/etc/pki/tls/misc/CA
が提供されています。
$ cat /etc/pki/tls/misc/CA
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
infile=$1
outfile=$2
bound=$3
flag=0
exec <$infile;
while read line; do
if [ $flag -eq 1 ]; then
echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ] ; then
echo $line >>$outfile
break
else
echo $line >>$outfile
fi
fi
echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
echo $line >$outfile
flag=1
fi
done
}
usage() {
echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
CADAYS="-days 1095" # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
RET=0
while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
usage
exit 0
;;
-newcert)
# create a certificate
$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
RET=$?
echo "Certificate is in newcert.pem, private key is in newkey.pem"
;;
-newreq)
# create a certificate request
$REQ -new -keyout newkey.pem -out newreq.pem $DAYS
RET=$?
echo "Request is in newreq.pem, private key is in newkey.pem"
;;
-newreq-nodes)
# create a certificate request
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
RET=$?
echo "Request (and private key) is in newreq.pem"
;;
-newca)
# if explicitly asked for or it doesn't exist then setup the directory
# structure that Eric likes to manage things
NEW="1"
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
# create the directory hierarchy
mkdir -p ${CATOP}
mkdir -p ${CATOP}/certs
mkdir -p ${CATOP}/crl
mkdir -p ${CATOP}/newcerts
mkdir -p ${CATOP}/private
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
echo "CA certificate filename (or enter to create)"
read FILE
# ask user for existing CA certificate
if [ "$FILE" ]; then
cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
RET=$?
if [ ! -f "${CATOP}/serial" ]; then
$X509 -in ${CATOP}/$CACERT -noout -next_serial \
-out ${CATOP}/serial
fi
else
echo "Making CA certificate ..."
$REQ -new -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
-keyfile ${CATOP}/private/$CAKEY -selfsign \
-extensions v3_ca \
-infiles ${CATOP}/$CAREQ
RET=$?
fi
fi
;;
-xsign)
$CA -policy policy_anything -infiles newreq.pem
RET=$?
;;
-pkcs12)
if [ -z "$2" ] ; then
CNAME="My Certificate"
else
CNAME="$2"
fi
$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
-out newcert.p12 -export -name "$CNAME"
RET=$?
exit $RET
;;
-sign|-signreq)
$CA -policy policy_anything -out newcert.pem -infiles newreq.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-signCA)
$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
RET=$?
echo "Signed CA certificate is in newcert.pem"
;;
-signcert)
echo "Cert passphrase will be requested twice - bug?"
$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-verify)
shift
if [ -z "$1" ]; then
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
RET=$?
else
for j
do
$VERIFY -CAfile $CATOP/$CACERT $j
if [ $? != 0 ]; then
RET=$?
fi
done
fi
exit $RET
;;
*)
echo "Unknown arg $i" >&2
usage
exit 1
;;
esac
shift
done
exit $RET
こちらのスクリプトで認証局を作成したり、CSRの生成や証明書を発行することができます。
デフォルトではこちらのスクリプトはOpenSSLの設定ファイル/etc/pki/tls/openssl.cnf
を参照しています。
IAM Roles Anywhereの信頼アンカーとして使用される証明書には以下のような要件があります。
Certificates used as trust anchors must satisfy the same requirements for signature algorithm, but with the following differences:
- The key usage must include
Digital Signature
,Certificate Sign
, andCRL Sign
.- Basic constraints must include
CA: true
.Trust model in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere
デフォルトの/etc/pki/tls/openssl.cnf
のv3_ca
はkeyUsage
にDigital Signature
が含まれていません。
$ cat /etc/pki/tls/openssl.cnf
.
.
(中略)
.
.
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
Digital Signature
が含まれていないプライベート認証局の証明書を信頼アンカーに登録しようとしてもIncorrect basic constraints for CA certificate
とエラーになってしまいます。
そのため、/etc/pki/tls/openssl.cnf
のv3_ca
のkeyUsage
を編集してあげます。
# /etc/pki/tls/openssl.cnf の編集
$ sudo vi /etc/pki/tls/openssl.cnf
# 編集内容の確認
$ cat /etc/pki/tls/openssl.cnf
.
.
(中略)
.
.
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign, digitalSignature
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
プライベート認証局の作成
それではプライベート認証局を作成します。
$ sudo /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..............................................+++
......................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-ca
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c9:51:f2:e3:01:51:84:c2
Validity
Not Before: Jul 12 02:28:00 2022 GMT
Not After : Jul 11 02:28:00 2025 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Default Company Ltd
commonName = iam-roles-anyware-ca
X509v3 extensions:
X509v3 Subject Key Identifier:
A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
X509v3 Authority Key Identifier:
keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jul 11 02:28:00 2025 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Key Usage
がDigital Signature, Certificate Sign, CRL Sign
と要件通りになっていますね。また、Basic Constraints
もCA:TRUE
になっています。
プライベート認証局の証明書ファイル/etc/pki/CA/cacert.pem
から証明書部分を抽出しておきます。
$ openssl x509 -in /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIJAMlR8uMBUYTCMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDIy
.
.
(中略)
.
.
EzpiIMsvi6j+EOAH/7344zYfqooylepZfnR9BIc/+fVnnYLXesOTlK8GmHsBQzj9
aFuLhsxXAkqXuYrMFFHYXX9Ri+hOX0sSXNS4FuyqVqtSBEmmPMfidCkGZ7HRw7hI
2oS2w2Pjdto=
-----END CERTIFICATE-----
信頼アンカーの作成
次に信頼アンカーの作成です。
IAMのコンソールからロール
-管理
をクリックします。
信頼アンカーを作成する
をクリックします。
信頼アンカー名を入力します。認証期間(CA)ソースは外部証明書バンドル
を選択し、テキストエリアに事前に確認したプライベート認証局の証明書をペーストし、信頼アンカーを作成する
をクリックします。
信頼アンカーの一覧に追加されたことを確認します。
また、信頼アンカーのARNは後で使用するので控えておきます。
IAMロールの作成
次にIAM Roles Anywhereで使用するIAMロールを作成します。
作成するIAMロールの信頼されたエンティティは以下のようにIAM Roles Anywhereが引き受けられるようにする必要があります。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
IAMポリシーはAmazonEC2ReadOnlyAccess
にしてみました。
プロファイルの作成
作成したIAMロールとIAM Roles Anywhereを関連づけるためにプロファイルを作成します。
プロファイルを作成
をクリックします。
プロファイル名の入力と先ほど作成したIAMロールの選択をします。セッションポリシーは変更せずにプロファイルを作成
をクリックします。
プロファイルの一覧に追加されたことを確認します。
プロファイルのARNも後で使用するので控えておきます。
証明書の発行
CSRの生成
IAM Roles Anywhereのエンドエンティティ証明書の発行をします。
証明書発行のためにCSRを生成します。
$ sudo /etc/pki/tls/misc/CA -newreq
Generating a 2048 bit RSA private key
................+++
..+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-instance
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
CSRが生成されました。
$ ls -l newreq.pem
-rw-r--r-- 1 root root 1025 Jul 12 02:55 newreq.pem
$ cat newreq.pem
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRUwEwYD
VQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQx
IzAhBgNVBAMMGmlhbS1yb2xlcy1hbnl3YXJlLWluc3RhbmNlMIIBIjANBgkqhkiG
.
.
(中略)
.
.
3HYGFwUKaAMuaP5zytSodJz1iGP9RSIsYLGteExwozdwXoXDXD9FPbeC1EWEHtSY
iVjhmgmFUkyT78AoTMTXR5dO0sD6NB8eg4Z+vnuWNrGf/8mvQoqib8fkUyA5DVt4
sHtz1uesOimEoP/eVX7vkRDlsLpn2XN+1HWQvoe+VVAL9/6rIcyPe9xVIKIebxKY
54efl9z3gwPk9bFJkWmSZeqEXOF31fj9sk84imHqcJg=
-----END CERTIFICATE REQUEST-----
また、秘密鍵も生成されています。BEGIN ENCRYPTED PRIVATE KEY
なのでパスフレーズは設定されたままです。
$ ls -l newkey.pem
-rw-r--r-- 1 root root 1834 Jul 12 02:55 newkey.pem
$ cat newkey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
.
.
(中略)
.
.
-----END ENCRYPTED PRIVATE KEY-----
証明書の発行
それでは証明書を発行します。
$ sudo /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c9:51:f2:e3:01:51:84:c3
Validity
Not Before: Jul 12 03:01:40 2022 GMT
Not After : Jul 12 03:01:40 2023 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Default City
organizationName = Default Company Ltd
commonName = iam-roles-anyware-instance
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF
X509v3 Authority Key Identifier:
keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
Certificate is to be certified until Jul 12 03:01:40 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c9:51:f2:e3:01:51:84:c3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca
Validity
Not Before: Jul 12 03:01:40 2022 GMT
Not After : Jul 12 03:01:40 2023 GMT
Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:32:bc:de:5e:a8:58:f4:c2:e4:8e:e7:d4:72:
dc:5a:b7:f2:e6:62:44:83:76:d8:15:8a:12:da:ee:
a0:72:73:05:2b:4f:bd:89:e8:bf:a7:8d:e5:27:20:
2b:b2:33:72:45:01:b2:ca:15:38:4d:47:10:ab:84:
05:a0:b9:ef:b5:11:2b:6b:be:ac:28:2f:83:35:36:
9d:98:f7:9d:53:59:b5:b3:3c:3e:22:ec:b5:20:75:
5e:b9:46:c9:5d:66:95:e3:0b:1b:33:92:0b:81:ba:
68:d4:03:98:bc:b1:69:d1:d6:6a:21:93:37:84:51:
91:89:e7:12:e6:ea:74:05:8c:1c:f1:19:07:8c:75:
39:c5:09:e6:08:e4:21:72:ed:ac:5a:4c:0a:5d:a1:
ad:6e:b3:20:46:fd:c9:3f:c9:96:9d:0c:ec:ba:f3:
1c:99:dd:e8:d0:14:fe:71:5d:57:1e:6b:22:ce:37:
6d:6b:fc:9f:3a:b9:ae:c5:f3:da:6b:e1:41:6e:2f:
b5:bd:cb:0b:55:11:bb:03:1a:11:0c:bb:ef:c7:42:
3b:ce:fc:fe:6a:6c:2d:0c:15:56:dd:dd:ad:46:31:
79:8c:8f:b0:64:cc:40:d8:70:58:6a:be:a8:de:5c:
db:c3:b1:1b:aa:14:ec:97:df:16:76:6d:db:df:ec:
a2:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF
X509v3 Authority Key Identifier:
keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
Signature Algorithm: sha256WithRSAEncryption
8f:55:45:04:5f:32:bd:94:c1:b6:03:e2:95:ef:07:8e:77:c0:
03:72:87:93:60:00:5c:b9:12:3a:cd:19:78:3b:4e:89:24:9e:
dd:46:b4:b8:3a:2a:40:ca:fc:5a:59:6b:1b:f6:8d:eb:6e:5e:
86:a0:0f:b9:2e:09:4e:00:24:7d:55:5e:58:88:43:b3:b5:b1:
5c:e6:8d:ee:d2:d6:16:95:2f:75:34:ea:ac:fd:ec:82:88:12:
64:82:ba:0a:b0:34:0b:92:76:db:02:72:e5:26:98:d1:4b:dd:
3c:fb:bd:83:61:46:40:fb:27:ee:b0:ae:aa:6e:a7:07:b8:5e:
48:81:1f:12:9e:4e:39:78:4d:f4:71:91:72:c8:c4:b5:1a:b0:
8c:2d:51:d8:bc:92:0b:d6:2c:3f:27:2a:eb:e6:af:2f:f5:1a:
75:12:5c:80:cf:98:57:d5:11:05:c2:62:63:c2:52:fb:72:3e:
c9:9e:c8:ba:02:51:92:7d:9d:3c:16:80:48:c2:a4:05:77:23:
07:b4:0c:a5:57:04:62:63:41:6e:88:ed:2c:6a:9c:32:16:eb:
c0:4d:cb:82:e6:41:4c:4f:d9:76:7f:d0:2c:f6:14:4d:13:2d:
e1:90:29:c8:8e:56:b2:8f:6e:56:c4:08:2a:ab:db:37:92:a8:
48:57:f1:63
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAMlR8uMBUYTDMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDMw
.
.
(中略)
.
.
CrA0C5J22wJy5SaY0UvdPPu9g2FGQPsn7rCuqm6nB7heSIEfEp5OOXhN9HGRcsjE
tRqwjC1R2LySC9YsPycq6+avL/UadRJcgM+YV9URBcJiY8JS+3I+yZ7IugJRkn2d
PBaASMKkBXcjB7QMpVcEYmNBbojtLGqcMhbrwE3LguZBTE/Zdn/QLPYUTRMt4ZAp
yI5Wso9uVsQIKqvbN5KoSFfxYw==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
証明書のファイルが作成されたことを確認します。
$ ls -l newcert.pem
-rw-r--r-- 1 root root 4553 Jul 12 03:01 newcert.pem
$ cat newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c9:51:f2:e3:01:51:84:c3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca
Validity
Not Before: Jul 12 03:01:40 2022 GMT
Not After : Jul 12 03:01:40 2023 GMT
Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:32:bc:de:5e:a8:58:f4:c2:e4:8e:e7:d4:72:
dc:5a:b7:f2:e6:62:44:83:76:d8:15:8a:12:da:ee:
a0:72:73:05:2b:4f:bd:89:e8:bf:a7:8d:e5:27:20:
2b:b2:33:72:45:01:b2:ca:15:38:4d:47:10:ab:84:
05:a0:b9:ef:b5:11:2b:6b:be:ac:28:2f:83:35:36:
9d:98:f7:9d:53:59:b5:b3:3c:3e:22:ec:b5:20:75:
5e:b9:46:c9:5d:66:95:e3:0b:1b:33:92:0b:81:ba:
68:d4:03:98:bc:b1:69:d1:d6:6a:21:93:37:84:51:
91:89:e7:12:e6:ea:74:05:8c:1c:f1:19:07:8c:75:
39:c5:09:e6:08:e4:21:72:ed:ac:5a:4c:0a:5d:a1:
ad:6e:b3:20:46:fd:c9:3f:c9:96:9d:0c:ec:ba:f3:
1c:99:dd:e8:d0:14:fe:71:5d:57:1e:6b:22:ce:37:
6d:6b:fc:9f:3a:b9:ae:c5:f3:da:6b:e1:41:6e:2f:
b5:bd:cb:0b:55:11:bb:03:1a:11:0c:bb:ef:c7:42:
3b:ce:fc:fe:6a:6c:2d:0c:15:56:dd:dd:ad:46:31:
79:8c:8f:b0:64:cc:40:d8:70:58:6a:be:a8:de:5c:
db:c3:b1:1b:aa:14:ec:97:df:16:76:6d:db:df:ec:
a2:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF
X509v3 Authority Key Identifier:
keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
Signature Algorithm: sha256WithRSAEncryption
8f:55:45:04:5f:32:bd:94:c1:b6:03:e2:95:ef:07:8e:77:c0:
03:72:87:93:60:00:5c:b9:12:3a:cd:19:78:3b:4e:89:24:9e:
dd:46:b4:b8:3a:2a:40:ca:fc:5a:59:6b:1b:f6:8d:eb:6e:5e:
86:a0:0f:b9:2e:09:4e:00:24:7d:55:5e:58:88:43:b3:b5:b1:
5c:e6:8d:ee:d2:d6:16:95:2f:75:34:ea:ac:fd:ec:82:88:12:
64:82:ba:0a:b0:34:0b:92:76:db:02:72:e5:26:98:d1:4b:dd:
3c:fb:bd:83:61:46:40:fb:27:ee:b0:ae:aa:6e:a7:07:b8:5e:
48:81:1f:12:9e:4e:39:78:4d:f4:71:91:72:c8:c4:b5:1a:b0:
8c:2d:51:d8:bc:92:0b:d6:2c:3f:27:2a:eb:e6:af:2f:f5:1a:
75:12:5c:80:cf:98:57:d5:11:05:c2:62:63:c2:52:fb:72:3e:
c9:9e:c8:ba:02:51:92:7d:9d:3c:16:80:48:c2:a4:05:77:23:
07:b4:0c:a5:57:04:62:63:41:6e:88:ed:2c:6a:9c:32:16:eb:
c0:4d:cb:82:e6:41:4c:4f:d9:76:7f:d0:2c:f6:14:4d:13:2d:
e1:90:29:c8:8e:56:b2:8f:6e:56:c4:08:2a:ab:db:37:92:a8:
48:57:f1:63
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAMlR8uMBUYTDMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDMw
.
.
(中略)
.
.
CrA0C5J22wJy5SaY0UvdPPu9g2FGQPsn7rCuqm6nB7heSIEfEp5OOXhN9HGRcsjE
tRqwjC1R2LySC9YsPycq6+avL/UadRJcgM+YV9URBcJiY8JS+3I+yZ7IugJRkn2d
PBaASMKkBXcjB7QMpVcEYmNBbojtLGqcMhbrwE3LguZBTE/Zdn/QLPYUTRMt4ZAp
yI5Wso9uVsQIKqvbN5KoSFfxYw==
-----END CERTIFICATE-----
動作確認 (1回目)
クレデンシャルヘルパーツールのダウンロード
それでは、動作確認です。
まず、クレデンシャルヘルパーツールをダウンロードして、実行権限を与えます。
# クレデンシャルヘルパーツールをダウンロード
$ sudo curl https://s3.amazonaws.com/roles-anywhere-credential-helper/CredentialHelper/latest/linux_amd64/aws_signing_helper --output aws_signing_helper
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12.6M 100 12.6M 0 0 86.5M 0 --:--:-- --:--:-- --:--:-- 86.6M
# クレデンシャルヘルパーツールの権限確認
$ ls -l aws_signing_helper
-rw-r--r-- 1 root root 13266672 Jul 12 03:04 aws_signing_helper
# クレデンシャルヘルパーツールに実行権限を追加
$ sudo chmod +x aws_signing_helper
# 権限の確認
$ ls -l aws_signing_helper
-rwxr-xr-x 1 root root 13266672 Jul 12 03:04 aws_signing_helper
動作確認 (1回目)
クレデンシャルヘルパーツールを実行してみます。
$ ./aws_signing_helper credential-process \
--certificate ./newcert.pem \
--private-key ./newkey.pem \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \
--profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \
--role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
2022/07/12 03:09:48 unable to parse private key
unable to parse private key
とエラーが出力されてしまいました。
試しに証明書の秘密鍵のパスフレーズを解除してからリトライします。
# 秘密鍵のパスフレーズを解除
$ sudo openssl rsa -in newkey.pem -out cert.key
Enter pass phrase for newkey.pem:
writing RSA key
# 秘密鍵のパスフレーズが解除されたことを確認
$ cat cert.key
-----BEGIN RSA PRIVATE KEY-----
.
.
(中略)
.
.
-----END RSA PRIVATE KEY-----
# リトライ
$ ./aws_signing_helper credential-process \
--certificate ./newcert.pem \
--private-key ./cert.key \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \
--profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \
--role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
2022/07/12 03:12:42 AccessDeniedException: Untrusted certificate. Insufficient certificate
秘密鍵のパースエラーは解消されましたが、Untrusted certificate. Insufficient certificate
とエラーになってしまいました。
よくよくドキュメントを確認すると、エンドエンティティ証明書も要件がありました。
End entity certificates must satisfy the following constraints to be used for authentication:
- The certificates must be X.509v3.
- Basic constraints must include
CA: false
.- The key usage must include
Digital Signature
.- The signing algorithm must include
SHA256
or stronger.MD5
andSHA1
signing algorithms are rejected.Trust model in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere
発行された証明書と比較すると、key Usage
にDigital Signature
が含まれていません。
ということで、証明書の再発行をします。
証明書の再発行
古い証明書の無効化
Subjectが重複する証明書を発行する場合、以下のようなエラーが出力されてしまいます。
failed to update database
TXT_DB error number 2
そのため、証明書を再発行するにあたって、古い証明書を無効化しておきます。
# 証明書のデータベースファイルを確認
$ cat /etc/pki/CA/index.txt
V 250711022800Z C951F2E3015184C2 unknown /C=JP/ST=Tokyo/O=Default Company Ltd/CN=iam-roles-anyware-ca
V 230712030140Z C951F2E3015184C3 unknown /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=iam-roles-anyware-instance
# 不要な証明書を無効化
$ sudo openssl ca -revoke /etc/pki/CA/newcerts/C951F2E3015184C3.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate C951F2E3015184C3.
Data Base Updated
# 不要な証明書が無効化されたことを確認
$ cat /etc/pki/CA/index.txt
V 250711022800Z C951F2E3015184C2 unknown /C=JP/ST=Tokyo/O=Default Company Ltd/CN=iam-roles-anyware-ca
R 230712030140Z 220712043755Z C951F2E3015184C3 unknown /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=iam-roles-anyware-instance
本来であれば証明書を無効化した後CRLを作成するところですが、伝える相手もいないのでCRLは作成しません。
/etc/pki/tls/openssl.cnfの編集
CSRの再生成前に/etc/pki/tls/openssl.cnf
を編集します。
# /etc/pki/tls/openssl.cnf の編集
$ sudo vi /etc/pki/tls/openssl.cnf
# 編集内容の確認
$ cat /etc/pki/tls/openssl.cnf
.
.
(中略)
.
.
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
CSRの再生成
CSRの再生成をします。
$ sudo /etc/pki/tls/misc/CA -newreq
Generating a 2048 bit RSA private key
...........................................................................................+++
................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-instance
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
CSRと一緒に生成された秘密鍵のパスフレーズを解除しておきます。
$ sudo openssl rsa -in newkey.pem -out cert.key
Enter pass phrase for newkey.pem:
writing RSA key
証明書の発行
証明書を再発行します。
$ sudo /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c9:51:f2:e3:01:51:84:c5
Validity
Not Before: Jul 12 04:58:36 2022 GMT
Not After : Jul 12 04:58:36 2023 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Default City
organizationName = Default Company Ltd
commonName = iam-roles-anyware-instance
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F4:8B:BB:60:C2:33:AA:58:8B:81:E8:00:C2:EE:36:D2:C2:7D:34:1C
X509v3 Authority Key Identifier:
keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
Certificate is to be certified until Jul 12 04:58:36 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c9:51:f2:e3:01:51:84:c5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca
Validity
Not Before: Jul 12 04:58:36 2022 GMT
Not After : Jul 12 04:58:36 2023 GMT
Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:03:cf:d6:3a:20:f6:ad:74:72:d5:3a:fb:bc:
bd:d6:4b:98:f7:2e:11:6e:79:ff:91:83:52:8d:31:
e0:c7:0f:75:16:63:26:c9:8f:00:96:44:2b:23:e1:
81:eb:11:e2:38:b2:f6:36:56:63:2f:57:75:b3:91:
3a:5e:cc:2c:e1:68:f5:de:8a:9d:53:45:e9:8a:38:
ef:45:d5:39:b9:ea:79:6a:01:ce:0a:75:91:84:84:
3e:98:c6:10:14:9b:3d:1e:79:3d:ea:dc:cb:81:7e:
80:51:2d:bc:0b:32:ad:cc:b3:e6:0a:a8:06:83:1d:
4a:a6:18:1b:c9:c9:fb:57:cc:0e:bd:98:53:6b:c0:
84:7c:60:5d:5c:f9:46:91:88:40:c1:49:4a:fb:2e:
ba:9c:14:a4:66:c4:97:44:28:57:17:de:30:58:71:
a0:10:5d:18:7f:3d:28:9f:a7:36:c7:0c:8b:39:2e:
c2:71:e7:46:0d:21:f8:1b:83:38:d9:24:f5:0c:fe:
35:c5:17:8c:72:b7:a4:70:13:e6:7e:36:a5:f3:53:
17:5f:6e:64:06:26:8f:a8:8d:8d:47:9d:d4:52:79:
12:e9:67:05:d3:a8:91:11:29:28:bc:42:41:54:ca:
a1:4c:b5:8c:9d:47:f1:ba:a1:72:81:b6:4c:68:ca:
d0:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F4:8B:BB:60:C2:33:AA:58:8B:81:E8:00:C2:EE:36:D2:C2:7D:34:1C
X509v3 Authority Key Identifier:
keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
Signature Algorithm: sha256WithRSAEncryption
99:58:e3:f2:1c:2d:51:ee:4d:94:35:97:91:ba:70:c7:16:72:
f6:d4:49:08:62:ca:7e:27:68:d8:f0:1a:07:58:e0:b8:f2:5a:
d5:11:0c:85:e4:e9:dc:1d:55:f6:5f:7a:8a:9c:3c:26:ba:18:
fa:83:84:c8:6a:fb:14:08:a2:bc:74:e1:e5:4c:a1:60:59:b3:
da:73:81:9f:2b:a0:15:90:a8:f5:5c:58:9d:38:c1:49:a7:ef:
ea:29:f3:22:a8:e6:9b:2c:f6:25:b3:8a:a5:d3:bb:ba:67:a3:
f8:70:be:f6:22:90:4e:9e:7a:8b:17:04:b3:2f:b3:33:ca:b9:
66:1b:75:84:60:62:70:a8:60:3b:d3:d9:90:dc:8f:6a:53:7d:
e6:e5:0c:b8:59:11:68:dc:81:98:91:1e:7f:09:44:a9:7b:47:
49:47:66:cf:6f:67:18:24:b5:39:93:09:f7:15:c0:92:89:a2:
db:0d:7c:90:4f:ad:df:d3:48:cd:e4:aa:5d:6f:f2:96:2f:d7:
50:15:54:2c:24:d7:c6:50:2c:28:c9:33:ff:b9:84:fa:37:8f:
67:7c:7a:aa:2b:30:08:bd:4f:d6:ff:87:15:8d:33:d9:da:48:
87:59:bd:d1:c5:6f:26:79:44:e5:3c:e5:53:a9:fc:f9:90:4d:
45:e7:2c:14
-----BEGIN CERTIFICATE-----
MIID3jCCAsagAwIBAgIJAMlR8uMBUYTFMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDQ1
.
.
(中略)
.
.
FZCo9VxYnTjBSafv6inzIqjmmyz2JbOKpdO7umej+HC+9iKQTp56ixcEsy+zM8q5
Zht1hGBicKhgO9PZkNyPalN95uUMuFkRaNyBmJEefwlEqXtHSUdmz29nGCS1OZMJ
9xXAkomi2w18kE+t39NIzeSqXW/yli/XUBVULCTXxlAsKMkz/7mE+jePZ3x6qisw
CL1P1v+HFY0z2dpIh1m90cVvJnlE5TzlU6n8+ZBNRecsFA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
Key Usage
にDigital Signature
がある証明書が発行されました。
動作確認 (2回目)
2回目の動作確認です。
クレデンシャルヘルパーツールを実行してみます。
$ ./aws_signing_helper credential-process \
--certificate ./newcert.pem \
--private-key ./cert.key \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \
--profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \
--role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
{"Version":1,"AccessKeyId":"ASIA6KUFAVPU6PW4NEHS","SecretAccessKey":"1+Ax0yFTo0+c/WUtBOd6sC4TTOV6QNiLUaNm59He","SessionToken":"IQoJb3JpZ2luX2VjEB0aCXVzLWVhc3QtMSJIMEYCIQDMwkOKlkquq+puUTw2sxRpuJG71UcOdk+eViQ7ueQI0gIhAP8tsyzxtbTkMMREe6Tegxt1a5a4s/qMDbF0bn1i7SuDKpEFCFYQAhoMOTg0OTAwMjE3ODMzIgykrFsEExDiGXIlHIwq7gTy+epUoCvuw8MUmT0JSz+60XN5Yo4Gex6zS0zdWoCIZHVpMKy8K024tgxMSfu14TiCqD+klrwEbX+LvMwhpD7Z79KQGCVcJjM9DRzxc+ZSSoSaAhEspyX9GVfPr8jXJk4BQx/joapqhZmSX00oPurwD9aazi54ni3vBg83RH1BEnIfjE3Yn4wk8vo3DNls4KX/s4GZBWIqW8oqQY+EakEtWrm1jqh78G13t81iCsH8A14vZnSwzSiQUkTH0nfnvcKBUHSelMjeRTuVqur/+oF46gWb5mufHX8C1MyIPKp6ogRvwp5Jp66eSDjmtA17Ee8Qb7HkStL8JYijKDNjh3cFGV/ryXUiPx9mlh0jkpzo5INkPuk2f6wpVuLzx4I7YvlL7b6sgCJnEH0HEaGPgtGFsxRDc2jV2x7JTvtrDRfdQAIUpN7IC2RuaEwfqmq/Glui+LZp/bdQnve1IQxrn2G8Fg7nTPH8cUqSFhVdUNebZOBih4p/0zO/cYYSpJhBotV1lVVJ1BOsN6Hj6pIgyppNX0am4vP8+y5VXtp06WdY5EmCIprNYRse/UEqGzeWeu5iA1R0jZbSxeOeQwNbmYXlDeMNH4b9PHlxAr7sH5WRi5QpzeHmiw60KodJuaqAdA5BJLzNqm2IuawY/J6zg0N04Fps0mk1saBfmTpw/M3f2Gy46KE3n3qGeKpjV2I1VkaujGB1GYwk+V/1p48VI0LtnxxV9esItMCMw+1aLY3dgIddy4P+9bo5VJE3n5N5eS2vjK3Edrj6rJhd0td+tzTLZ/0bBmDKmnfmc79f7mZjWWXGYB/3Hb1g9Ro8VpwiMNf/s5YGOsIB1GN2GSMSvrnaOSKmlFGKKT/G/9KVIQhsJwqYZbXtQVmhK76JM7O1kupo1wZR9W55W4E8Es8TQnX0NkXqBSB9FcsaqioOGPmA11BuahQRd57f0+4Fe0UDn9N7gvHis3aayV+eKCR8QEiqBui09GnSrsuknxRUf3Nb3MpcYOkCjNnDToGg3B17KztrVQ4wGLaEh1yeoq5Sv6AK8eWbeyR6dyocfDlDV7NRGhdexCf0R5f7p4SrcyJElk8jDjoV/GNDcNo=","Expiration":"2022-07-12T06:00:07Z"}
アクセスキー、シークレットアクセスキー、セッショントークンが出力されました。
出力された値を環境変数に入れて、AWS CLIを叩いてみます。
# 認証情報を環境変数に追加
$ export AWS_ACCESS_KEY_ID=ASIA6KUFAVPU6PW4NEHS
$ export AWS_SECRET_ACCESS_KEY=1+Ax0yFTo0+c/WUtBOd6sC4TTOV6QNiLUaNm59He
$ export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEB0aCXVzLWVhc3QtMSJIMEYCIQDMwkOKlkquq+puUTw2sxRpuJG71UcOdk+eViQ7ueQI0gIhAP8tsyzxtbTkMMREe6Tegxt1a5a4s/qMDbF0bn1i7SuDKpEFCFYQAhoMOTg0OTAwMjE3ODMzIgykrFsEExDiGXIlHIwq7gTy+epUoCvuw8MUmT0JSz+60XN5Yo4Gex6zS0zdWoCIZHVpMKy8K024tgxMSfu14TiCqD+klrwEbX+LvMwhpD7Z79KQGCVcJjM9DRzxc+ZSSoSaAhEspyX9GVfPr8jXJk4BQx/joapqhZmSX00oPurwD9aazi54ni3vBg83RH1BEnIfjE3Yn4wk8vo3DNls4KX/s4GZBWIqW8oqQY+EakEtWrm1jqh78G13t81iCsH8A14vZnSwzSiQUkTH0nfnvcKBUHSelMjeRTuVqur/+oF46gWb5mufHX8C1MyIPKp6ogRvwp5Jp66eSDjmtA17Ee8Qb7HkStL8JYijKDNjh3cFGV/ryXUiPx9mlh0jkpzo5INkPuk2f6wpVuLzx4I7YvlL7b6sgCJnEH0HEaGPgtGFsxRDc2jV2x7JTvtrDRfdQAIUpN7IC2RuaEwfqmq/Glui+LZp/bdQnve1IQxrn2G8Fg7nTPH8cUqSFhVdUNebZOBih4p/0zO/cYYSpJhBotV1lVVJ1BOsN6Hj6pIgyppNX0am4vP8+y5VXtp06WdY5EmCIprNYRse/UEqGzeWeu5iA1R0jZbSxeOeQwNbmYXlDeMNH4b9PHlxAr7sH5WRi5QpzeHmiw60KodJuaqAdA5BJLzNqm2IuawY/J6zg0N04Fps0mk1saBfmTpw/M3f2Gy46KE3n3qGeKpjV2I1VkaujGB1GYwk+V/1p48VI0LtnxxV9esItMCMw+1aLY3dgIddy4P+9bo5VJE3n5N5eS2vjK3Edrj6rJhd0td+tzTLZ/0bBmDKmnfmc79f7mZjWWXGYB/3Hb1g9Ro8VpwiMNf/s5YGOsIB1GN2GSMSvrnaOSKmlFGKKT/G/9KVIQhsJwqYZbXtQVmhK76JM7O1kupo1wZR9W55W4E8Es8TQnX0NkXqBSB9FcsaqioOGPmA11BuahQRd57f0+4Fe0UDn9N7gvHis3aayV+eKCR8QEiqBui09GnSrsuknxRUf3Nb3MpcYOkCjNnDToGg3B17KztrVQ4wGLaEh1yeoq5Sv6AK8eWbeyR6dyocfDlDV7NRGhdexCf0R5f7p4SrcyJElk8jDjoV/GNDcNo=
# EC2インスタンスの情報をAWS CLIで確認
$ aws ec2 describe-instances \
--instance-ids i-0fd11c3a1398908bb \
--region us-east-1
{
"Reservations": [
{
"Instances": [
{
"Monitoring": {
"State": "disabled"
},
"PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com",
"State": {
"Code": 16,
"Name": "running"
},
"EbsOptimized": true,
"LaunchTime": "2022-07-12T02:19:53.000Z",
"PublicIpAddress": "3.235.121.71",
"PrivateIpAddress": "172.31.14.187",
"ProductCodes": [],
"VpcId": "vpc-0e0796981cea634c1",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 2
},
"StateTransitionReason": "",
"InstanceId": "i-0fd11c3a1398908bb",
"EnaSupport": true,
"ImageId": "ami-0cff7528ff583bf9a",
"PrivateDnsName": "ip-172-31-14-187.ec2.internal",
"KeyName": "xxxxx",
"SecurityGroups": [
{
"GroupName": "default",
"GroupId": "sg-09833fa43dc030900"
}
],
"ClientToken": "",
"SubnetId": "subnet-0355def964cb72d89",
"InstanceType": "t3.micro",
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"NetworkInterfaces": [
{
"Status": "in-use",
"MacAddress": "02:b9:5a:24:d9:17",
"SourceDestCheck": true,
"VpcId": "vpc-0e0796981cea634c1",
"Description": "",
"NetworkInterfaceId": "eni-0f74de6b95007f850",
"PrivateIpAddresses": [
{
"PrivateDnsName": "ip-172-31-14-187.ec2.internal",
"PrivateIpAddress": "172.31.14.187",
"Primary": true,
"Association": {
"PublicIp": "3.235.121.71",
"PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com",
"IpOwnerId": "amazon"
}
}
],
"PrivateDnsName": "ip-172-31-14-187.ec2.internal",
"InterfaceType": "interface",
"Attachment": {
"Status": "attached",
"DeviceIndex": 0,
"DeleteOnTermination": true,
"AttachmentId": "eni-attach-055395aa5ba0c57bc",
"AttachTime": "2022-07-12T02:19:53.000Z"
},
"Groups": [
{
"GroupName": "default",
"GroupId": "sg-09833fa43dc030900"
}
],
"Ipv6Addresses": [],
"OwnerId": "<AWSアカウントID>",
"PrivateIpAddress": "172.31.14.187",
"SubnetId": "subnet-0355def964cb72d89",
"Association": {
"PublicIp": "3.235.121.71",
"PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com",
"IpOwnerId": "amazon"
}
}
],
"SourceDestCheck": true,
"Placement": {
"Tenancy": "default",
"GroupName": "",
"AvailabilityZone": "us-east-1b"
},
"Hypervisor": "xen",
"InstanceLifecycle": "spot",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"Status": "attached",
"DeleteOnTermination": true,
"VolumeId": "vol-0b0d9d6737487a8cf",
"AttachTime": "2022-07-12T02:19:54.000Z"
}
}
],
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"IamInstanceProfile": {
"Id": "AIPA6KUFAVPU6UWS3OMTH",
"Arn": "arn:aws:iam::<AWSアカウントID>:instance-profile/AmazonSSMRoleForInstancesQuickSetup"
},
"RootDeviceName": "/dev/xvda",
"VirtualizationType": "hvm",
"Tags": [
{
"Value": "ca",
"Key": "Name"
}
],
"SpotInstanceRequestId": "sir-abredmeg",
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpEndpoint": "enabled",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1
},
"AmiLaunchIndex": 0
}
],
"ReservationId": "r-0433f26b704769217",
"Groups": [],
"OwnerId": "<AWSアカウントID>"
}
]
}
EC2インスタンスの情報をAWS CLIで確認できました。
クレデンシャルヘルパーツールのコマンドを~/.aws/config
に登録してAWS CLIを叩けるかも確認します。
事前に認証情報の環境変数はクリアしておきます。
# 環境変数をクリア
$ unset AWS_ACCESS_KEY_ID
$ unset AWS_SECRET_ACCESS_KEY
$ unset AWS_SESSION_TOKEN
# 環境変数がクリアされたことを確認
$ echo $AWS_ACCESS_KEY_ID
$ echo $AWS_SECRET_ACCESS_KEY
$ echo $AWS_SESSION_TOKEN
クレデンシャルヘルパーツールのコマンドを~/.aws/config
に登録します。
# ディレクトリの作成
$ mkdir ~/.aws
# ~/.aws/config の作成
$ vi ~/.aws/config
# ~/.aws/config の内容の確認
$ cat ~/.aws/config
[default]
credential_process = ./aws_signing_helper credential-process
--certificate /usr/bin/newcert.pem
--private-key /usr/bin/cert.key
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e
--profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5
--role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
~/.aws/credentials
がない状態でAssume Roleできることを確認します。
# ~/.aws/credentials がないことを確認
$ ls -l ~/.aws
total 4
-rw-r--r-- 1 ssm-user ssm-user 431 Jul 12 05:44 config
# Assume Roleできることを確認
$ aws sts get-caller-identity
{
"Account": "<AWSアカウントID>",
"UserId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5",
"Arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5"
}
作成したiam-roles-anyware-role
にAssume Roleできることを確認できました。
CloudTrailで確認すると、以下のようにCreateSession
イベントが記録されていました。userAgent
がCredHelper/1.0.0 (go1.18.2; linux; amd64)
ということからクレデンシャルヘルパーツールからのアクセスであることが分かります。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"principalId": "",
"arn": "",
"accountId": "<AWSアカウントID>",
"accessKeyId": "",
"userName": ""
},
"eventTime": "2022-07-12T08:32:10Z",
"eventSource": "rolesanywhere.amazonaws.com",
"eventName": "CreateSession",
"awsRegion": "us-east-1",
"sourceIPAddress": "3.239.222.193",
"userAgent": "CredHelper/1.0.0 (go1.18.2; linux; amd64)",
"requestParameters": {
"cert": "MIID3jCCAsagAwIBAgIJAMlR8uMBUYTFMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDQ1ODM2WhcNMjMwNzEyMDQ1ODM2WjB3MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEjMCEGA1UEAwwaaWFtLXJvbGVzLWFueXdhcmUtaW5zdGFuY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAA8/WOiD2rXRy1Tr7vL3WS5j3LhFuef+Rg1KNMeDHD3UWYybJjwCWRCsj4YHrEeI4svY2VmMvV3WzkTpezCzhaPXeip1TRemKOO9F1Tm56nlqAc4KdZGEhD6YxhAUmz0eeT3q3MuBfoBRLbwLMq3Ms+YKqAaDHUqmGBvJyftXzA69mFNrwIR8YF1c+UaRiEDBSUr7LrqcFKRmxJdEKFcX3jBYcaAQXRh/PSifpzbHDIs5LsJx50YNIfgbgzjZJPUM/jXFF4xyt6RwE+Z+NqXzUxdfbmQGJo+ojY1HndRSeRLpZwXTqJERKSi8QkFUyqFMtYydR/G6oXKBtkxoytD/AgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT0i7tgwjOqWIuB6ADC7jbSwn00HDAfBgNVHSMEGDAWgBShmmyFt7jbA14sP2fNHaJT4cMf1TANBgkqhkiG9w0BAQsFAAOCAQEAmVjj8hwtUe5NlDWXkbpwxxZy9tRJCGLKfido2PAaB1jguPJa1REMheTp3B1V9l96ipw8JroY+oOEyGr7FAiivHTh5UyhYFmz2nOBnyugFZCo9VxYnTjBSafv6inzIqjmmyz2JbOKpdO7umej+HC+9iKQTp56ixcEsy+zM8q5Zht1hGBicKhgO9PZkNyPalN95uUMuFkRaNyBmJEefwlEqXtHSUdmz29nGCS1OZMJ9xXAkomi2w18kE+t39NIzeSqXW/yli/XUBVULCTXxlAsKMkz/7mE+jePZ3x6qiswCL1P1v+HFY0z2dpIh1m90cVvJnlE5TzlU6n8+ZBNRecsFA==",
"durationSeconds": 3600,
"profileArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5",
"roleArn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role",
"trustAnchorArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e"
},
"responseElements": {
"credentialSet": [
{
"assumedRoleUser": {
"arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5",
"assumedRoleId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5"
},
"credentials": {
"accessKeyId": "ASIA6KUFAVPUSIOVTSM4",
"expiration": "2022-07-12T09:32:10Z",
"secretAccessKey": "HIDDEN_DUE_TO_SECURITY_REASONS",
"sessionToken": "IQoJb3JpZ2luX2VjECEaCXVzLWVhc3QtMSJHMEUCIEUVzaMKYcwu9hld36Zm/hmgMr8/W2Os7KfHqJDqcsZTAiEA+y/ryr+iLImuk1N2VF41dVBZ4ObodMA3DynqwJuONoEqkQUIWhACGgw5ODQ5MDAyMTc4MzMiDF1a7xxCpGKMc/qVMiruBC7yk02fdnn4wOSfsKAxKCobo4Uu2kkCbxnS14jrBQBglJhc8b6jMt3JXnyeTCu4r+NJF335VdESIhuEQKQXYhXTOKJER54NnI2OPnpDBvmXbVukeyQd4QNihfCMz+rJrvcxQJxu7a6yq95elhwCn1RTz7hXb2R5ucMKpb2jAlcMhSixEQtYHn1ux3qLZyCQNGfLAo85Nc3F/cMIsDouICwZg+6vZ9tcyzR+7D49KEDY3cfCEWRCs3woW90U6DcVZVbQLlKm0zenbQvda72paS6Or6PMBU5epyP4pD8ssCsMcFBR3K5ywU+plujRqgVt3ivtmK20cx8/9tVfl4YyI66P86O5OzJnQXFSlCtD+1TWDhJsUAecBLlgnRIB66Kg88soVAFtxH8skEZLIKPhWZ6dfwjGnx9h+SDzrgQtobAKya6YplsvbM5HfgJ7uITrbbMQOrSlqYYgcN31oXb6qVpbxS7wfwJ22deDMSIZc3OXU4c8YNAxsFPTIFIpVrf9Gyx2E45Eqf/KjUUIGkkJaCirltr+omz0RrHAFL2hTTQ9DeNpiYIsRDvu1CLcFuCicZ+18WbSAGZ7oNO4GDvzoaIQiFtlRhVNQbegLgmjho1n4cptXdzIs6XK7gNBD5JV+5ynAubpDiyZEGDD68aaBSWVEjqK0E5lE5EGg7fGIqo36iVbkxB/oyiJxowuDEOF3FUiVH2HC/Xoc+SWNjzCY9+w/6dR9N6hS9ACCAh875/ZhvT/mD9FU+09E7YtK/w9ox5ug3BbHJBG2Jrgvkm85EtSXsk/PjU30euBbHF1Rc4AeUTeAkFDYMbXfspsb3IwiuO0lgY6wwFgHyiDalmQQqy+lXFlT6wWDVMdfp7A3EaC/xcDOcj7CCl9D4TbXpM12OcMWMIoPMmMKL9EHn7bnz6HAmmMLDHtThmb8Z43S80wM3Ab+scHJBl6WbnPIGnDJKQ93KXhyisNQphmuOaOHDbsto78ekihygBLCcU3v6Lx9nENwtTcbWjq2cH7O24XixUx7pWZtM/hkUo40336uIxisDg8j3bM99X1dAdt07j+ytEG19BH1KUG7ENnrLhPD5onx/MpfjrfBwo="
},
"packedPolicySize": 55,
"roleArn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role",
"sourceIdentity": "CN=iam-roles-anyware-instance"
}
],
"subjectArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:subject/6334a30e-14fd-4fc5-9262-6e67267c42dc",
"x509Subject": "C=JP,ST=Tokyo,L=Default City,O=Default Company Ltd,CN=iam-roles-anyware-instance"
},
"requestID": "fae5107a-30ed-4216-af36-62baef51824c",
"eventID": "7a0e47fd-07b8-47d8-9e21-c805a76e4d3e",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<AWSアカウントID>",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "rolesanywhere.us-east-1.amazonaws.com"
}
}
それでは、AWS CLIでEBSボリュームの情報を確認してみます。
$ aws ec2 describe-volumes \
--filters Name=attachment.instance-id,Values=i-0fd11c3a1398908bb \
--region us-east-1
{
"Volumes": [
{
"AvailabilityZone": "us-east-1b",
"Attachments": [
{
"AttachTime": "2022-07-12T02:19:54.000Z",
"InstanceId": "i-0fd11c3a1398908bb",
"VolumeId": "vol-0b0d9d6737487a8cf",
"State": "attached",
"DeleteOnTermination": true,
"Device": "/dev/xvda"
}
],
"Encrypted": false,
"VolumeType": "gp3",
"VolumeId": "vol-0b0d9d6737487a8cf",
"State": "in-use",
"Iops": 3000,
"SnapshotId": "snap-08f1069dfde2007ba",
"CreateTime": "2022-07-12T02:19:54.234Z",
"MultiAttachEnabled": false,
"Size": 8
}
]
}
確かに、AWS CLIでEBSボリュームの情報を確認できました。
CloudTrailで確認すると、以下のようにDescribeVolumes
イベントが記録されていました。invokedBy
がrolesanywhere.amazonaws.com
ということからIAM Roles Anywhereのプロファイルを使った操作であることが分かります。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5",
"arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5",
"accountId": "<AWSアカウントID>",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA6KUFAVPUU5M2Q3OWY",
"arn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role",
"accountId": "<AWSアカウントID>",
"userName": "iam-roles-anyware-role"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-07-12T08:32:10Z",
"mfaAuthenticated": "false"
},
"sourceIdentity": "CN=iam-roles-anyware-instance"
},
"invokedBy": "rolesanywhere.amazonaws.com"
},
"eventTime": "2022-07-12T08:32:10Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "DescribeVolumes",
"awsRegion": "us-east-1",
"sourceIPAddress": "rolesanywhere.amazonaws.com",
"userAgent": "rolesanywhere.amazonaws.com",
"requestParameters": {
"volumeSet": {},
"filterSet": {
"items": [
{
"name": "attachment.instance-id",
"valueSet": {
"items": [
{
"value": "i-0fd11c3a1398908bb"
}
]
}
}
]
}
},
"responseElements": null,
"requestID": "86bf8acb-d85c-4f9f-b412-971ff4e5f4db",
"eventID": "6bb32c87-5f95-4a27-8565-6efc3b6b44f7",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<AWSアカウントID>",
"eventCategory": "Management"
}
OpenSSLで作った自己署名証明書でもIAM Roles Anywhereは使える
OpenSSLで作った自己署名証明書でIAM Roles Anywhereを使ってみました。
証明書と秘密鍵さえあれば認証情報を入手できる、これぞIAM Roles Anywhereという感じで非常に面白かったです。
ちなみにIAM Roles Anywhereのプロファイルや信頼アンカーを削除すると、以下のようにエラーを出力するようになりました。
# プロファイルを削除した場合
$ aws sts get-caller-identity
Error when retrieving credentials from custom-process: 2022/07/12 08:45:43 ResourceNotFoundException: Profile not found.
# 信頼アンカーを削除した場合
$ aws sts get-caller-identity
Error when retrieving credentials from custom-process: 2022/07/12 08:47:15 AccessDeniedException: Specified Trust Anchor wasn't found.
上述のようなエラーが出力された場合は、IAM Roles Anywhereの設定が不足している可能性があります。
この記事が誰かの助けになれば幸いです。
以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!