token_meta_client_arn arn:aws:sts::362381645759:assumed-role/chef-dev/i-0e4653e40480d31ac Now simply use the token to sign-in to Vault: curl --request POST --data '{"role": "my-gce-role", "jwt" : "."}' http://vault:8200/v1/auth/gcp/login. In addition to the normal JWT claims (sub, aud, iat, exp), the tokens returned from the metadata server also contains a special. See. Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message, $vault write auth/aws/role/dev-role auth_type=iam policies=dev max_ttl=1h. Future Vault requests will automatically use this token. These issues can lead to an authentication bypass in configurations that use the aws and gcp auth methods, and demonstrate the type of issues you can find in modern cloud-native software. The last step is to enable cross account access by telling the vault aws auth backend which aws role to use. While or after creating them, you need to assign instances in the dev and qa roles with the dev_role and qa_role tags respectively. As the attacker can just use a service account in their own project, it is straightforward to just grant this permission to the GCP identity Vault is running under or even, is called to grant or deny access. token_meta_canonical_arn arn:aws:iam::362381645759:role/chef-dev This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. How does the /v1/auth/aws/login API endpoint actually work and is there a way a unauthenticated attacker can impersonate a random AWS IAM role? While the OIDC provider setup adds some complexity, we end up with a nice authentication bypass for arbitrary AWS enabled roles. 1. It is important to note that the AWS account used for this does not need to have any relationship with our target. token_renewable true This could be a problem if a load balancer in front of the STS API makes routing decisions based on the Host header, but blind testing against the STS host did not lead to any success. If everything goes as planned STS will reflect the token subject as part of its JSON encoded response. However, this operational simplicity is only possible because of hidden complexity in the AWS iam auth method. This means that calling parseGetCallerIdentityResponse with a (JSON encoded) server response such as {abc : xzy} will succeed and return an (empty) CallerIdentityResponse structure. using a service account private key under their control or with the projects.serviceAccounts.signJwt IAM API method. Recently I began working on a project to change how we log into our instances in AWS. Create a minimal OIDC IdP. For example, a configuration could give only VMs in a specific region (europe-west-6) access to certain secrets, allow all VMs in the xyz-prod GCP project access or restrict it even further using instance-groups. And install the vault binary on your EC2 instance as described above. In my experience, tricky vulnerabilities like this often exist where developers have to interact with external systems and services. "arn:aws:iam::111111111111:role/vaultawsauth", "arn:aws:iam::222222222222:role/vaultawsauth", path "acg/globals/data/*" { While STS responses are XML encoded by default, it also supports JSON encoding for clients that send an Accept: application/json HTTP header. Next, we need to create a policy to limit what the instance has access to. "Audience":"abcdef","Credentials":{},"PackedPolicySize":null,"Provider":"arn:aws:iam::242434931706:oidc-provider/oidc-test-wrbvvljkzwtfpiikylvpckxgafdkxfba.s3.amazonaws.com/".
by securitum for an overview about typical issues), so I decided to spend a day on reviewing Vaults token processing. token_duration 768h You could use a different domain for the iam_server_id_header_value and header_value, but they should match each other. News and updates from the Project Zero team at Google. Here are the commands you should run on the Vault server for this example: You can authenticate from a dev instance to Vault with: Knowing the key id and subject of the token, Vault fetches the public key used for signing using the service account GCP API: // If that failed, try to get account-specific key, b.Logger().Debug("Unable to get Google-wide OAuth2 Key, trying service-account public key"), k, saErr := gcputil.ServiceAccountPublicKey(saId, kid), return nil, errwrap.Wrapf(fmt.Sprintf("unable to get public key %q for JWT subject %q: {{err}}", kid, saId), saErr). Deliver the token to the deveoper securely. This means that calling, with a (JSON encoded) server response such as, {abc : xzy}, This brings us really close to our goal of spoofing an arbitrary caller identity: We just need to find a STS action that reflects attacker controlled text as part of its API response. You are now authenticated. This boils down to generating a RSA key pair, creating an OIDC discovery.json and key.json document and hosting the json files on a web server (see, register an OID IdP -> AWS IAM role mapping. While this will help me solve some problems with the few appliances that I run, I can also see this being very helpful for using with autoscaling groups as well. bound_iam_principal_arn from the CLI tools, but it just wants a raw string. Even with memory-safe languages, strong cryptography primitives, static analysis and large fuzzing infrastructure, some issues can only be discovered by manual code review and an attacker mindset. Instead of only making authentication decisions based on a service account identity, gce can also grant access based on a number of VM attributes. For #2, what Jason said is true. If the AWS ARN/UserID in our fake GetCallerIdentityResponse has privileges on the Vault server we get a valid session token back, which we can use to interact with the Vault server to fetch some secrets. , you can create a mapping between certain IAM users or roles to Vault roles. API endpoint actually work and is there a way a unauthenticated attacker can impersonate a random AWS IAM role? The Vault server sends the pre-signed requests to the STS host and extracts the AWS IAM information out of the result. We will now illustrate how to use the iam method, by providing two examples. the second statement allows vault to use sts to do the same validation in other accounts. AustinCloudGuru 2022. For gce, the client is expected to run on an authorized GCE VM. The function uses the Golang standard XML library to decode an XML response into a GetCallerIdentityResponse structure and returns an error if decoding fails. can only be used to authenticate virtual machines running on Google Compute Engine. We are interested in the iam mechanism, which is the recommended variant and also used in our previous Lambda example. Finding a reflected parameter that is not constrained to alpha-numeric characters turns out to be tricky. There is an easy to miss problem with this code: Vault never enforces or verifies that the STS response is actually XML encoded. The function parseAndValidateJwt is responsible for processing both gce and iam tokens. Instead of attaching some form of authentication token or credential to API requests, AWS requires clients to. It first parses the token without verifying the signature and passes the decoded token into the, "unable to get public key for signed JWT: %v". ) Lets take a look. For example, AWS might decide to put STS behind a load balancing frontend, which uses the Host header for routing decisions. 2. A popular example use case is to give clients the ability to upload a file to S3 without giving them access to credentials with write permissions. Exploiting a vulnerability in Vault could give an attacker full access to a wide range of important secrets and large parts of the target's infrastructure. After ruling out the easy way forward, we still have another approach available: Vault does not restrict our URL query parameters. token_accessor 6ad0daa4-e8f5-062d-ed93-3ff126f9290c Rotating old or compromised database credentials is straightforward and can be centrally enforced. If authentication succeeds, Vault returns a short-lived API token for the, role back to the lambda function. This token can now be used to fetch the database secret from Vault. With those tokens set, I can setup my .netrc file so that I can checkout my playbooks and roles from my private GitHub repositories and pass secrets to my Ansible. In this section, we use the ec2 method. Powered by Jekyll. token_meta_canonical_arn arn:aws:iam::362381645759:role/roger20180321221209238500000001 token_meta_client_user_id AROAIBMRMFI4BY3T4TSIW token_renewable true Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity. the attacker gets a valid session token back. In practice, only project_id, zone and instance_name are verified and need to be set to valid values. token_renewable true for the (canonicalized) request using the caller's secret access key and attach this signature to the request. token_meta_inferred_entity_id i-07b2ff4cc60049f47. You do not have permission to delete messages in this group, For #2 at least, this bound_iam_principal_arn field accepts only. If you are implementing this in a multi-account strategy, you will also need to add a new role in each account that vault can assume to validate instance resources. this role includes the first statement from above that allows vault to validate the instance that is authenticating. If we follow the control flow of the gce method to the end we can see that Vault uses loginInfo.GceMetadata as part of its auth decision in pathGceLogin if two conditions are met: The VM described in the metadata section needs to exist. As its name implies, GetCallerIdentity returns details about the IAM role or user whose credentials were used to call the API. Of course, a normal OIDC provider wont sign a JWT with an XML payload in the subject field. This means we are not limited to pre-signing requests to GetCallerIdentity and can create requests to any action of the STS API. You can enable and test Vault's AWS auth method following the steps below. Instead of only making authentication decisions based on a service account identity, can also grant access based on a number of, . Click the "Create policy" button to save. Cannot retrieve contributors at this time. Still, an attacker can just create their own OIDC Identity Provider (IdP), register it on an AWS account they own and sign arbitrary tokens with their own keys. 
Sitemap 47
