Less than a year ago, my team and I decided to develop an essential tool that securely manages programmatic (CLI/SDK) access to AWS resources distributed among several Cloud accounts.
Temporary credentials access was a constraint for accessing the Cloud in our company, so we decided to build an open-source (https://github.com/Noovolari/leapp) tool for every access method on your behalf.
Leapp manages different access methods:
IAM Users, IAM Roles federated with multiple Identity Providers (G Suite, Okta, and OneLogin at the time), IAM Role Chained to another AWS entity (the cross-account Role access thing), AWS Single Sign-On Roles, and Azure Subscriptions by now.
Leapp store securely information of the developers (like AWS Access Key and Secret Keys) and generate short-lived credentials accessible to any CLI, SKD, and external library.
The idea of the App is to provide the Cloud credentials I need only when required. Otherwise, the Cloud Credentials file is cleaned and not accessible to any attackers.
We integrate the project with specific services like AWS Single Sign-On, the automatic provisioning of the account available to access, and AWS System Manager Session Manager to access EC2 instances directly from the App.
I'm also finalizing the Access to other Cloud providers (Google Cloud Platform and Alibaba Cloud) in the following months.
Hundreds of developers are downloading it, and the most common reaction is: "It's addictive. I don't want to go back to anything else."
After all those requests, from today, we will help the company-wide adoption of the project with enterprise support of the open-source project.
I use aws-vault and the best feature (apart from storing in your keychain, etc), is the fact that you can execute commands with the tokens in a shell environment it launches (aws-vault exec my-profile -- some-command-which-gets-the-aws-env-vars.sh) . That way we never even have to store the temporary credentials on the filesystem unencrypted.
We are going to implement a custom credentials process for AWS too with the Leapp Daemon, it's in the roadmap of the project.
Thanks for pointing it out.
The main difference is that Leapp also disable the profiles whenever they are not needed, so attackers can't find even the credential process attached to a not in use profile.
The main idea is to bring only the least credentials needed in order to make developers work.
Would love to test it out! Have been evaluating Chamber (https://github.com/segmentio/chamber) to solve same/similar problem. But Leapp has UI(cool looking!), so it's an obvious advantage.
Would be keen to hear what other differences Leapp developers would name in comparison to Chamber. Thanks!
Chamber is a wrapper around AWS Session Manager Parameter store.
To make Chamber work, you need a set of AWS Credentials. Leapp, by now, manages those AWS credentials and ensure that only short-lived credentials will be stored in the ~/.aws files.
Chamber can be a sort of Action of Leapp, like what happens with AWS SSM in Leapp, so for each Leapp Session you can, in the app, access to an EC2 instance directlly from Leapp, without any pem key, via AWS Session Manager System Manager.
So the goals of the 2 tools are a bit different, we work to secure and provide access to the Cloud, Leapp is an enabler to work in cloud for developers.
If you want to better know what are the goals of the app, refer to the Specification
Temporary credentials access was a constraint for accessing the Cloud in our company, so we decided to build an open-source (https://github.com/Noovolari/leapp) tool for every access method on your behalf.
Leapp manages different access methods: IAM Users, IAM Roles federated with multiple Identity Providers (G Suite, Okta, and OneLogin at the time), IAM Role Chained to another AWS entity (the cross-account Role access thing), AWS Single Sign-On Roles, and Azure Subscriptions by now.
Leapp store securely information of the developers (like AWS Access Key and Secret Keys) and generate short-lived credentials accessible to any CLI, SKD, and external library.
The idea of the App is to provide the Cloud credentials I need only when required. Otherwise, the Cloud Credentials file is cleaned and not accessible to any attackers.
We integrate the project with specific services like AWS Single Sign-On, the automatic provisioning of the account available to access, and AWS System Manager Session Manager to access EC2 instances directly from the App.
I'm also finalizing the Access to other Cloud providers (Google Cloud Platform and Alibaba Cloud) in the following months.
Hundreds of developers are downloading it, and the most common reaction is: "It's addictive. I don't want to go back to anything else."
After all those requests, from today, we will help the company-wide adoption of the project with enterprise support of the open-source project.
https://www.leapp.cloud/support