{"id":20532658,"url":"https://github.com/cimpress-mcp/felix","last_synced_at":"2025-10-25T12:03:40.249Z","repository":{"id":38900147,"uuid":"101783798","full_name":"Cimpress-MCP/felix","owner":"Cimpress-MCP","description":"Automate the rotation of IAM keys used by third-party services.","archived":false,"fork":false,"pushed_at":"2023-04-24T18:07:39.000Z","size":2915,"stargazers_count":11,"open_issues_count":12,"forks_count":4,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-27T20:13:47.914Z","etag":null,"topics":["aws","iam","lambda"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cimpress-MCP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-29T16:38:40.000Z","updated_at":"2021-04-30T17:04:59.000Z","dependencies_parsed_at":"2023-01-24T19:32:40.528Z","dependency_job_id":null,"html_url":"https://github.com/Cimpress-MCP/felix","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Ffelix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Ffelix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Ffelix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Ffelix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cimpress-MCP","download_url":"https://codeload.github.com/Cimpress-MCP/felix/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248833949,"owners_count":21168935,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","iam","lambda"],"created_at":"2024-11-16T00:16:20.980Z","updated_at":"2025-10-25T12:03:35.218Z","avatar_url":"https://github.com/Cimpress-MCP.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/Cimpress-MCP/felix.svg?branch=master)](https://travis-ci.org/Cimpress-MCP/felix)\n[![Code Climate](https://codeclimate.com/github/Cimpress-MCP/felix/badges/gpa.svg)](https://codeclimate.com/github/Cimpress-MCP/felix)\n[![Test Coverage](https://codeclimate.com/github/Cimpress-MCP/felix/badges/coverage.svg)](https://codeclimate.com/github/Cimpress-MCP/felix/coverage)\n\n[![dependencies Status](https://david-dm.org/Cimpress-MCP/felix/status.svg)](https://david-dm.org/Cimpress-MCP/felix)\n[![devDependencies Status](https://david-dm.org/Cimpress-MCP/felix/dev-status.svg)](https://david-dm.org/Cimpress-MCP/felix?type=dev)\n\n# Felix\n\n![Felix Logo](/readme-assets/logo.png)\n\n**Felix** rotates your IAM keys!\n\n## Table of Contents\n\n- [About](#about)\n- [Architecture](#architecture)\n- [Configuration and Deployment](#config_and_deploy)\n- [IAM Configuration](#iam_config)\n- [Contributing](#contributing)\n\n## About \u003ca name = \"about\"\u003e\u003c/a\u003e\n\nManaging your IAM keys is a fundamental piece of AWS security. It's also one\nof the easiest things to get wrong. In fact, the easiest way to manage your\nIAM keys is to just not ever have any.\n\nBut that only gets you so far. Some third-party services can't integrate via\ncross-account roles or bucket policies. Sometimes you need to run pieces of\nyour infrastructure on-prem or in different Cloud Providers (or otherwise\ncannot use STS keys).\n\nSo **Felix** is aimed at making it easy to manage IAM keys in third-party\nservices like SumoLogic and GitLab. It aims to be easily extensible by both\nbuilt-in providers and external plugins.\n\n## Architecture \u003ca name = \"architecture\"\u003e\u003c/a\u003e\n\nArchitecture for this project is relatively simple.  There are only 4 main components that can be separated into two categories:\n\n### Category One: Infrastructure in YOUR AWS account\n\n1. The Lambda Function itself\n1. Systems Management Parameter Store parameters\n1. IAM users\n\n### Category Two: External Systems containing keys\n\n1. GitLab\n1. SumoLogic\n1. Travis-CI\n\nThe felix Lambda function loads AWS Parameter Store (SSM) parameters that are appropriately named (see [Configuration](#configuration) section below), creates new access keys for IAM users that are appropriately pathed (see [IAM User Path Construction](#iam_user_path) section below), and using access provided by your SSM parameters, updates your configured external system (GitLab, SumoLogic, or Travis-CI).\n\n![Felix Architecture](./readme-assets/felix-architecture.png)\n[Felix Architecture Diagram](https://cim.link/u1h2dl)\n\n## Deployment and Configuration \u003ca name = \"config_and_deploy\"\u003e\u003c/a\u003e\n\n### Deploying from source\n\n* Clone this repository (or `sls install`).\n* `npm install`\n* Get some IAM or STS keys for your account\n* `sls deploy --region [the region you want]`\n* `npm run configure` to perform some first-time config in the Parameter Store.\n\n### Configuration \u003ca name = \"configuration\"\u003e\u003c/a\u003e\n\n#### Quickstart with `configure.js`\n\nThere is a [`configure.js`](./configure.js) script at the root of this\nrepository that will configure all necessary configuration settings in SSM.\n\nYou can run it with `npm run configure` or `node ./configure.js`.\n\n**NOTE**: Make sure you have your proper account, profile, and region set in\nyour AWS config before running this.\n\nThis will go through all possible settings, suggest sane defaults, and give you\nthe option to configure some plugins (you can skip plugins you don't plan to\nuse).\n\n#### Configuration details\n\nConfiguration for **Felix** plugins is generally performed by\n[metafig](https://github.com/Cimpress-MCP/metafig).\n\nSince most plugins will need some kind of secret value, this makes\nit easy to configure your plugins without any danger of accidentally\nhardcoding or committing secret values.\n\nSee the default config in [`config.json`](config.json).\n\nBy default, everything under `plugins` is run through [`metafig`](https://github.com/Cimpress-MCP/metafig). In this case, all of\nthe configuration for the `gitlab` plugin is pulled from the AWS Parameter\nStore, using the `/felix/gitlab` path. All of those values are populated\ninto your configuration object and passed to the plugin when it is\ninstantiated.\n\n#### AWS Settings\n\nBy default, all AWS settings are loaded from the SSM Parameter Store at `/felix/aws`. It needs the following settings:\n\n* `userPath`: The IAM path from which to load all users. This should be `/service/` in order to match the default settings. The Lambda execution role only has access to `/service/` by default, so whatever you choose should be under there somewhere.\n* `snsTopic`: The ARN of the SNS topic to publish Felix reports to. This should be the SNS topic that was created by the Felix deployment.\n\n#### GitLab Settings\n\nBy default, all GitLab settings are loaded from the SSM Parameter Store at `/felix/gitlab`. It needs the following settings:\n\n* `token`: A [GitLab API token](https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) that has access to update build variables for your repositories.\n* `url`: The BaseUrl to the GitLab instance you wish to connect to (e.g. `https://gitlab.mycompany.com/`).\n* `protectedKeys`: A boolean value determining if Felix should mark the build variables containing the keys as protected.\n\n#### SumoLogic Settings\n\nBy default, all SumoLogic settings are loaded from the SSM Parameter Store at `/felix/sumologic`. It needs the following settings:\n\n* `keyId`: A SumoLogic key pair id that has access to update your sources and collectors.\n* `secretKey`: A SumoLogic key pair key that has access to update your sources and collectors.\n* `url`: The BaseUrl to the SumoLogic API you wish to talk to (e.g. `https://api.us2.sumologic.com/api/v1`).\n\n#### Travis Settings\n\nBy default, all SumoLogic settings are loaded from the SSM Parameter Store at `/felix/travis`. It needs the following settings:\n\n* `token`: A TravisCI API Key. You can see [the Travis docs](https://developer.travis-ci.org/authentication) for information on generating this.\n\n## IAM User Configuration \u003ca name = \"iam_config\"\u003e\u003c/a\u003e\n\n**Felix** uses IAM usernames and paths to intuit basic information about what\nthe user is used for and where the keys are stored.\n\nAs an example, `/service/travis/Cimpress-MCP/felix@travis` describes the IAM\nuser used for this project.\n\n**Felix** tries to manage *all* users under `/service/`. The next piece of the path (in this case, `/travis/`) tells Felix about the desired plugin it should\nuse to manage this user. In this case, the `travis` plugin. When the user's\ninformation is passed to the plugin, it uses the rest of the information to\nfigure out how to address that user's credentials in the service. In this case,\nit uses the Travis API to manage environment variables in the\n`Cimpress-MCP/Felix` repository.\n\nThe `@travis` at the end of the username is discarded by Felix and used only to\navoid IAM username collisions in case you, for example, also used sumologic\nwith your application and needed to manage an S3 hosted collector.\n\nThe cool thing about this is that **Felix** can manage all of your keys and\nusers without you needing to write and maintain a complex configuration file.\nYour users *are* your source of truth.\n\n### IAM User Path Construction \u003ca name = iam_user_path\u003e\u003c/a\u003e\n\n* GitLab: `/service/gitlab/[group]/[project]@gitlab`\n  * Note: subgroups do not work at this time.\n* Sumo: `/service/sumo/[collector]/[source]@sumo`\n* Travis: `/service/travis/[org]/[repo]@travis`\n\n## 👩‍💻 Contributing \u003ca name=\"contributing\"\u003e\u003c/a\u003e\n\nContributions to this project are welcome.  If you'd like to lend a hand have a member of the Cimpress Open Source community review for work for inclusion just do a standard pull request:\n\n1. Clone this repo\n1. Make a branch for your work\n1. Do your stuff\n1. Push your branch!\n1. Open a Merge Request.\n1. Your work will be reviewed, commented on, and/or merged.\n\nPlease note that your branch must pass our minimum commit checks prior to consideration:\n![commit-checks](readme-assets/commit-checks.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcimpress-mcp%2Ffelix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcimpress-mcp%2Ffelix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcimpress-mcp%2Ffelix/lists"}