{"id":17492117,"url":"https://github.com/imranismail/cloudcreds","last_synced_at":"2025-04-22T20:16:13.189Z","repository":{"id":64304162,"uuid":"210889572","full_name":"imranismail/cloudcreds","owner":"imranismail","description":"Secure access to your organization's AWS accounts for both programmatic and console use-case via federated identity and short-lived credentials","archived":false,"fork":false,"pushed_at":"2023-02-25T00:52:32.000Z","size":157,"stargazers_count":7,"open_issues_count":3,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-22T20:16:06.300Z","etag":null,"topics":["aws","federated-identity","google","oauth","oidc","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imranismail.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-25T16:19:57.000Z","updated_at":"2019-11-01T04:46:41.000Z","dependencies_parsed_at":"2024-06-20T09:19:41.279Z","dependency_job_id":"4dae3b2c-8f06-4986-a176-d02baa0fd457","html_url":"https://github.com/imranismail/cloudcreds","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imranismail%2Fcloudcreds","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imranismail%2Fcloudcreds/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imranismail%2Fcloudcreds/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imranismail%2Fcloudcreds/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imranismail","download_url":"https://codeload.github.com/imranismail/cloudcreds/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250316066,"owners_count":21410476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","federated-identity","google","oauth","oidc","security"],"created_at":"2024-10-19T08:07:57.958Z","updated_at":"2025-04-22T20:16:13.172Z","avatar_url":"https://github.com/imranismail.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloudcreds\n\nSecure access to your organization's AWS accounts for both programmatic and console use-case via federated identity\n\n- ✅ Credentials are short-lived (Min: 1h, Max: 12h)\n- ✅ Fine-grained RBAC (via [Google Admin CustomSchemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas))\n- ✅ Easy deployment (via docker, kustomize and executables)\n\nDemo 👇\n\n[![Demo](https://img.youtube.com/vi/onBf6JFj-IU/0.jpg)](https://www.youtube.com/watch?v=onBf6JFj-IU)\n\n## Config Reference\n\n*All values are default*\n\nCan either be stored in `~/.cloudcreds.yaml` or set using env vars `CLOUDCREDS_PATH_TO=value`\n\n```yaml\n# debug flag\ndebug: false\nclient:\n # Local URL to host and open the temporary client-server to initiate auth with cloudcreds server\n url: \"http://127.0.0.1:1338\"\n # cloudcreds server URL\n server_url: \"http://127.0.0.1:1337\"\nserver:\n # oauth credentials\n # this is needed to allow a google federated user to assume as AWS IAM role\n # you can follow along this tutorial to generate them:\n # https://support.google.com/cloud/answer/6158849\n client_credentials: |\n {...client-credentials.json}\n # service account credentials \n # this is needed to fetch to permitted role for a user to assumed\n # you can follow along this tutorial to generate them:\n # https://developers.google.com/admin-sdk/directory/v1/guides/delegation\n service_account_key: |\n {...service-account-key.json}\n # public URL of the server\n url: \"https://cloudcreds.internal.acme.com\"\n # hostname to be bind\n hostname: \"127.0.0.1\"\n # port to be bind\n port: 1337\n # key used to encrypt cookie session\n session_key: please-set-this-to-a-high-entropy-string\n hosted_domain: \"acme.com\"\n```\n\n## Getting Started\n\n### Create an OAuth Client\n\nCreate a Google Oauth Client by following this guide: https://support.google.com/cloud/answer/6158849?hl=en\n\n- Make sure it's an internal app usable only by your hosted domain, i.e: Emails with domain pointing to \"acme.com\".\n- Whitelist this url pattern: `https://$CLOUDCREDS_SERVER_URL/callback`\n- Generate a client credential and download the json file\n\n### Create a Service Account\n\nCreate a Google Service account to be able to get user's assigned role in gsuite by following this guide: https://developers.google.com/admin-sdk/directory/v1/guides/delegation\n\n- Make sure you've attached the `https://www.googleapis.com/auth/admin.directory.user.readonly` scope to the service account in gsuite settings\n- Download the service account key json file\n\n### Create an IAM Role for Web Identity\n\nCreate an IAM role on AWS with any permissions you'd like to grant this role. Next, attach a trust policy between this role and your OAuth Client to allow it to be assumed with a Web Identity.\n\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"accounts.google.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"accounts.google.com:aud\": \"\u003cgoogle-oauth-client-id\u003e\"\n }\n }\n },\n ]\n}\n```\n\n### Attach IAM Roles to GSuite Users\n\nFollow this tutorial to create a custom attribute for your users: https://support.google.com/a/answer/6208725?hl=en\n\nCategory has to be named as `Amazon Web Service`\n\n![aws](./docs/images/aws-custom-attributes.png)\n\nOnce that's done, attach any IAM role that has the correct trust policy attached to it:\n\n![adding-attribs](./docs/images/adding-custom-attributes.png)\n\n### Setup Server\n\nIf you're using docker or any container based platform you may do so like this:\n\n```bash\ndocker run \\\n -e CLOUDCREDS_SERVER_CLIENT_CREDENTIALS=\u003cclient-credentials-json\u003e \\\n -e CLOUDCREDS_SERVER_SERVICE_ACCOUNT_KEY=\u003cservice-account-key.json\u003e \\\n -e CLOUDCREDS_SERVER_HOSTED_DOMAIN=acme.com \\\n imranismail/cloudcreds:v0 serve\n```\n\nIf you want to test this out locally. Create a file in `~/.cloudcreds.yaml` with the following content\n\n```yaml\nserver:\n client_credentials: |\n {...client-credentials.json}\n service_account_key: |\n {...service-account-key.json}\n hosted_domain: \"acme.com\"\n```\n\nRun `cloudcreds serve` to fire up a local server\n\n### Setup Client\n\nCreate a file in `~/.cloudcreds.yaml` with the following content:\n\n```yaml\nclient:\n url: \"http://127.0.0.1:1338\"\n server_url: \"http://127.0.0.1:1337\"\n```\n\n### Assuming Role\n\nThen you can use one of the following commands to access AWS\n\n`cloudcreds login`\n\nor\n\n`cloudcreds console`\n\nDo the whole OAuth dance and once that's done you will be shown a page to select a role:\n\n![assume-role](./docs/images/assume-role.png)\n\nAssuming a role will either output the credentials to your CLI or redirect you to AWS Console","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimranismail%2Fcloudcreds","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimranismail%2Fcloudcreds","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimranismail%2Fcloudcreds/lists"}