{"id":34774922,"url":"https://github.com/cloudtruth/aws-bastion","last_synced_at":"2025-12-25T08:13:59.803Z","repository":{"id":38294670,"uuid":"222587120","full_name":"cloudtruth/aws-bastion","owner":"cloudtruth","description":"A docker container which provides ssh/vpn by using AWS IAM groups to control access","archived":false,"fork":false,"pushed_at":"2022-06-07T21:31:57.000Z","size":43,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-03-04T09:38:07.853Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudtruth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-19T02:07:28.000Z","updated_at":"2022-07-18T20:44:53.000Z","dependencies_parsed_at":"2022-09-09T21:31:19.520Z","dependency_job_id":null,"html_url":"https://github.com/cloudtruth/aws-bastion","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"purl":"pkg:github/cloudtruth/aws-bastion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudtruth%2Faws-bastion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudtruth%2Faws-bastion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudtruth%2Faws-bastion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudtruth%2Faws-bastion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudtruth","download_url":"https://codeload.github.com/cloudtruth/aws-bastion/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudtruth%2Faws-bastion/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28024398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-25T02:00:05.988Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-25T08:13:59.042Z","updated_at":"2025-12-25T08:13:59.792Z","avatar_url":"https://github.com/cloudtruth.png","language":"Ruby","readme":"About\n-----\n\nA docker container which provides ssh/vpn by using AWS IAM groups to control\nwhich IAM users can ssh in using the ssh public key stored for those users in\nIAM (only they have the private key).  This lets one control ssh/vpn access to a\nVPC without having to deal with credentials - you just have to put users in the\nright group to enable them to ssh in, and remove them from the group to disable\nthem, and they have full control over the ssh keypair for authentication\n\nInstall\n-------\n\nAs a convenience, you can use the cloudtruth/aws-bastion image that is built and\npushed to the [docker registry](https://hub.docker.com/r/cloudtruth/aws-bastion)\nas part of CI/CD.  You can also build your own image from this repo so as to\ncustomize which system packages get installed to the bastion image.\n\nSetup a docker runtime and configure it with the environment variables:\n * `BASTION_ACCOUNT`: The account to assume role to for looking up iam users and groups\n * `BASTION_ROLE`: The role to assume role to for looking up iam users and groups\n * `BASTION_SSH_GROUPS`: The IAM group to which users will belong to grant them permission to ssh into the bastion\n * `BASTION_SUDO_GROUPS`: The IAM group to which users will belong to grant them permission to sudo on the bastion\n * `BASTION_IAM_USER_PATTERN`: The pattern to use for converting between iam and system username, e.g. \"\\[user\\]@mydomain.com\"\n * `BASTION_FRONTLOAD_USERS`:  Causes creation of system users for all known iam users on container start, otherwise done on first connect by that user\n * `AWS_*`: Aws credentials as needed.  You won't need to set them if using instance/ecs roles when running the bastion container\n\n * local: docker-compose is already setup to test against a stub aws server (moto),\nbut you can override the `AWS_*` variables in the environment or a .env file to\nrun against AWS\n * AWS: Configure your AWS container setup (ECS fargate, EKS, Docker swarm, Custom,\netc) for a bastion service with the above environment.  Note that your security groups and network settings need to allow the bastion\nhost to connect to the internal systems it should have network access to.\n\nCreate an IAM group that indicates ssh access to bastion allowed\nCreate an IAM group that indicates sudo access on the bastion is allowed\nAdd desired IAM users to the groups for which they should have capabilities\n\nUsage\n-----\n\nRun your container\n * local: `docker-compose up`  Note that you'll need to have AWS environment\nvariables set for the container to be able to query real IAM.  docker-compose is\nsetup to use moto locally.\n * AWS: `docker-compose build` or plain docker build, then deploy the built image.\n \nEach IAM user should add ssh public keys to their IAM user at:\nAWS Console -\u003e IAM -\u003e Users -\u003e \u003ctheir user\u003e -\u003e Security credentials -\u003e Upload SSH public key \n\nThe bastion will authenticate against all active keys set for a user.  The\nbastion has a primitive mapping between IAM and system usernames using the\nBASTION_IAM_USER_PATTERN environment variable.\n\nSSH to your container\n * Plain ssh: `ssh user@bastion_hostname`\n * SSH with a socks proxy: `ssh -D\u003clocal_socks_port\u003e user@bastion_hostname`\n * VPN with [sshuttle](https://sshuttle.readthedocs.io/en/stable/): `sudo sshuttle --dns -r user@bastion_hostname 0/0`\n\nNote that when a user first connects to a new instance of the bastion container,\nthey get prompted for a password.  Hit enter till it disconnects, then\nsubsequent connections will succeed with their ssh keys.  If someone has a way\nto create a system user that ssh can use as part of the first connection, I\nwould love to know how.\n\nTesting\n-------\n\n`docker-compose up -d \u0026\u0026 docker-compose run dev test`\n\nSecurity\n--------\n\nUse this at your own risk!  I've tried to make this as secure as I know how,\nprotecting more from external agents than people I trust to manage my\ninfrastructure.  While I think it is secure enough for the ways in which I use\nit, please let me know if it can be improved.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudtruth%2Faws-bastion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudtruth%2Faws-bastion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudtruth%2Faws-bastion/lists"}