{"id":18866818,"url":"https://github.com/ing-bank/rokku-sts","last_synced_at":"2025-04-14T14:31:16.293Z","repository":{"id":53799420,"uuid":"149246762","full_name":"ing-bank/rokku-sts","owner":"ing-bank","description":"STS service for the Rokku project: https://github.com/ing-bank/rokku","archived":false,"fork":false,"pushed_at":"2023-07-25T12:07:52.000Z","size":995,"stargazers_count":9,"open_issues_count":1,"forks_count":4,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-28T03:32:26.549Z","etag":null,"topics":["rokku","sts"],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ing-bank.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-09-18T07:30:59.000Z","updated_at":"2023-05-26T20:28:47.000Z","dependencies_parsed_at":"2023-01-22T01:45:58.147Z","dependency_job_id":null,"html_url":"https://github.com/ing-bank/rokku-sts","commit_stats":null,"previous_names":[],"tags_count":95,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ing-bank%2Frokku-sts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ing-bank%2Frokku-sts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ing-bank%2Frokku-sts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ing-bank%2Frokku-sts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ing-bank","download_url":"https://codeload.github.com/ing-bank/rokku-sts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248897105,"owners_count":21179540,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rokku","sts"],"created_at":"2024-11-08T05:07:37.284Z","updated_at":"2025-04-14T14:31:15.917Z","avatar_url":"https://github.com/ing-bank.png","language":"Scala","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/ing-bank/rokku-sts.svg?branch=master)](https://travis-ci.org/ing-bank/rokku-sts)\n[![codecov](https://codecov.io/gh/ing-bank/rokku-sts/branch/master/graph/badge.svg)](https://codecov.io/gh/ing-bank/rokku-sts)\n[![](https://images.microbadger.com/badges/image/wbaa/rokku-sts:latest.svg)](https://hub.docker.com/r/wbaa/rokku-sts/tags/)\n\n# Rokku STS\n\nSTS stands for Short Token Service. The Rokku STS performs operations that are specific to managing service tokens.\nFor a higher level view of purpose of the Rokku STS service, please view the [Rokku](https://github.com/ing-bank/rokku) project.\n\nThe Rokku STS simulates the following STS actions:\n * [GetSessionToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html)\n * [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)\n\nThis is the internal endpoint that is exposed:\n\n\n * **Checks if a user credentials are active**\n\n        /isCredentialActive?accessKey=userAccessKey\u0026sessionToken=userSessionToken\n\n   Response status:\n\n   * _FORBIDDEN_\n   * _OK_\n\n       * With the following body response (for status OK) :\n   ```json\n     {\n     \"userName\": \"testuser\",\n     \"userGroups\": \"testGroup\",\n     \"accessKey\": \"userAccessKey\",\n     \"secretKey\": \"userSercretKey\",\n     \"userRole\": \"userRole\"\n     }\n   ```\n\n\n## Quickstart\n#### What Do You Need\n\nTo get a quickstart on running the Rokku STS, you'll need the following:\n* Docker\n* SBT\n\n1. Launch the Docker images which contain the dependencies for Rokku STS:\n\n        docker-compose up --build --force-recreate\n\n2. When the docker services are up and running, you can start the Rokku STS:\n\n        sbt run\n\n3. Have fun requesting tokens\n\n## Architecture\n\n[MVP1](docs/mvp1-flow.md)\n\n#### Dependencies\nThe STS service is dependant on two services:\n\n* [Keycloak](https://www.keycloak.org/) for MFA authentication of users.\n* [Redis] A persistence store to maintain the user and session tokens issued\n\n\n## Test (mock version)\n\n`docker run -p 12345:12345 wbaa/rokku-sts:latest`\n\nto get the credential you need to provide a valid token in on of the places:\n* header `Authorization Bearer valid`\n* cookie `X-Authorization-Token: valid`\n* parameter or form `WebIdentityToken=valid`\n\n### ```http://localhost:12345?Action=GetSessionToken```\n\nreturns:\n\n```xml\n\u003cGetSessionTokenResponse\u003e\n    \u003cGetSessionTokenResult\u003e\n        \u003cCredentials\u003e\n            \u003cSessionToken\u003e\n             okSessionToken\n            \u003c/SessionToken\u003e\n            \u003cSecretAccessKey\u003e\n             secretKey\n            \u003c/SecretAccessKey\u003e\n            \u003cExpiration\u003e2019-07-11T19:55:29.611Z\u003c/Expiration\u003e\n            \u003cAccessKeyId\u003eokAccessKey\u003c/AccessKeyId\u003e\n        \u003c/Credentials\u003e\n    \u003c/GetSessionTokenResult\u003e\n    \u003cResponseMetadata\u003e\n        \u003cRequestId\u003e58c5dbae-abef-11e0-8cfe-09039844ac7d\u003c/RequestId\u003e\n    \u003c/ResponseMetadata\u003e\n\u003c/GetSessionTokenResponse\u003e\n```\n\n### ```http://localhost:12345?Action=AssumeRole\u0026RoleArn=arn:aws:iam::account-id:role/admin\u0026RoleSessionName=test```\n\nreturns:\n\n```xml\n\u003cAssumeRoleResponse\u003e\n      \u003cAssumeRoleResult\u003e\n        \u003cAssumedRoleUser\u003e\n            \u003cArn\u003earn:aws:iam::account-id:role/admin/test\u003c/Arn\u003e\n            \u003cAssumedRoleId\u003eid:test\u003c/AssumedRoleId\u003e\n        \u003c/AssumedRoleUser\u003e\n        \u003cCredentials\u003e\n            \u003cSessionToken\u003eokSessionToken\u003c/SessionToken\u003e\n            \u003cSecretAccessKey\u003esecretKey\u003c/SecretAccessKey\u003e\n            \u003cExpiration\u003e2019-10-07T20:08:57.450Z\u003c/Expiration\u003e\n            \u003cAccessKeyId\u003eokAccessKey\u003c/AccessKeyId\u003e\n        \u003c/Credentials\u003e\n      \u003c/AssumeRoleResult\u003e\n      \u003cResponseMetadata\u003e\n        \u003cRequestId\u003e4265be0e-6246-4e3a-af72-b1a7cc997a94\u003c/RequestId\u003e\n      \u003c/ResponseMetadata\u003e\n\u003c/AssumeRoleResponse\u003e\n```\n_the [dev keycloak docker](https://github.com/ing-bank/rokku-dev-keycloak) has a `userone` who has the admin role._\n\n\n### ```http://localhost:12345/isCredentialActive?accessKey=okAccessKey\u0026sessionToken=okSessionToken```\nreturns status OK or Forbidden\n\nNOTE: since EP is protected with token, you may need to add header with token to access isCredentialsActive endpoint\n\n```\nDefault token that should match settings from test reference.conf file\n\n-H \"Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzZXJ2aWNlIjoicm9ra3UiLCJpc3MiOiJyb2trdSJ9.aCpyvC53lWdF_IOdZQp0fO8W4tH_LeK3vQcIvt5W1-0\"\n```\n\n### aws cli\n\n```bash\naws sts get-session-token  --endpoint-url http://localhost:12345 --region localhost --token-code validToken\n```\n\n```bash\naws sts assume-role --role-arn arn:aws:iam::account-id:role/admin --role-session-name testrole --endpoint-url http://localhost:12345 --token-code validToken\n```\n\n## NPA users\n\nSTS allows users with the `KEYCLOAK_NPA_ROLE` to be registered as NPAs. Only these users will have access to the `/npa/*` endpoints.\nWhen a user is registered as an NPA it can authenticate itself without the need of a session token from keycloak.\nIf the user already exists and aws credentials are issued for him then this operation will not be allowed and the request will\nreturn a 409 Conflict.\n\n### Registering user as an npa\n```\n curl -X POST \"127.0.0.1:12345/npa/registry\" -H \"Authorization: Bearer $keycloak_token_session\"\n```\nThe response of the above request will be of the form \n```json\n{\n    \"accessKey\": \"the-npa-access-key\",\n    \"secretKey\": \"the-npa-secret-key\"\n}\n```\n\n### Getting NPAs credentials\n```\n curl -X GET \"127.0.0.1:12345/npa/credentials\" -H \"Authorization: Bearer $keycloak_token_session\"\n```\nThe response of the above request will be of the form \n```json\n{\n    \"accessKey\": \"the-npa-access-key\",\n    \"secretKey\": \"the-npa-secret-key\"\n}\n```\n\n\n### Old deprecated admin API for NPA users\n\nSTS allows NPA (non personal account) access, in cases where client is not able to authenticate\nwith Keycloak server.\nIn order to notify STS that user is NPA user, below steps needs to be done:\n\n1. User needs to be in administrator groups (user groups are taken from Keycloak)\n\n2. Check settings of the value `STS_ADMIN_GROUPS` in application.conf and set groups accordingly. Config accepts\ncoma separated string: \"testgroup, othergroup\"\n\n3. A safe needs to exists with the correct name in vault, otherwise secrets will not be written to vault (404 in logs is an indication of that)\n\n4. Use postman or other tool of choice to send x-www-form-urlencoded values:\n\n```\nnpaAccount = value\nsafeName = vaule\nawsAccessKey = value\nawsSecretKey = value\n```\n\nas POST:\n\n```\ncurl -X POST \\\n     -d \"npaAccount=${NPA_ACCOUNT}\u0026safeName=${SAFE_NAME}\u0026awsAccessKey=${NPA_ACCESS_KEY}\u0026awsSecretKey=${NPA_SECRET_KEY}\" \\\n     -H \"Authorization: Bearer ${KEYCLOAK_TOKEN}\" \\\n     http://127.0.0.1:12345/admin/npa\n```\n\nNPA user access key and account names must be unique, otherwise adding NPA will fail.\n\nUser must also:\n- be allowed in Ranger Sever policies to access Ceph S3 resources\n\nWhen accessing Rokku with aws cli or sdk, just export `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`\nwith NO `AWS_SESSION_TOKEN`\n\n\n## Enable or disable user account\n\nSTS user account details are taken from Keycloak, but additionally one can mark user account as disabled in Rokku-STS\nby running:\n```\nEnable:\ncurl -H \"Authorization: Bearer ${KEYCLOAK_TOKEN}\" -X PUT http://localhost:12345/admin/account/{USER_NAME}/enable\n\nDisable:\ncurl -H \"Authorization: Bearer ${KEYCLOAK_TOKEN}\" -X PUT http://localhost:12345/admin/account/{USER_NAME}/disable\n```\n\nUser needs to be in administrator groups (user groups are taken from Keycloak). Check settings of the value `STS_ADMIN_GROUPS` in application.conf and set groups accordingly.\n\n## Production settings\n\nIf you plan to run rokku-sts in non-dev mode, make sure you at least set ENV value or edit application.conf\n\n```\nSTS_MASTER_KEY = \"radomKeyString\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fing-bank%2Frokku-sts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fing-bank%2Frokku-sts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fing-bank%2Frokku-sts/lists"}