https://serverless-stack.com/ logo
#random
Title
# random
s

Sam Hulick

01/10/2022, 6:12 PM
I just spoke with a friend who works at a major telecom company and she said they only give them temporary AWS credentials (that start with ASIA*) AND they change the credentials every 30 mins. Is this unusual? How on earth are you supposed to work with a temporary STS key?
t

thdxr

01/10/2022, 6:12 PM
I only use temporary keys but not sure if that's the same thing
s

Sam Hulick

01/10/2022, 6:13 PM
Does it start with AKIA or ASIA?
t

thdxr

01/10/2022, 6:13 PM
no but it only lasts 1 hour
s

Sam Hulick

01/10/2022, 6:13 PM
It's not an AWS access key?
Does it interrupt you every hour? I have no clue how it works
d

Dennis Dang

01/10/2022, 8:49 PM
That sounds terrible and is terrible. We generate STS keys that last 24 hours, if you generate them with your AWS credentials. But if you generate via email/pw, a new teammate found it resets every hour. He thought this was the norm for a whole month 🥲. Terrible experience though and a huge deep focus interruption.
t

thdxr

01/10/2022, 8:50 PM
I use AWS SSO which I login to once a day (expires every 12 hours) That allows continuous regeneration of STS tokens for 12 hours (they're valid for 1 hour)
This is the setup I'd recommend for everyone
d

Dennis Dang

01/10/2022, 9:33 PM
nice, that's been recommended once before, we'll have to try.
s

Sam Hulick

01/10/2022, 9:48 PM
@thdxr I have NO clue about AWS SSO at all. I have a root account that’s locked down with MFA (I don’t use that acct), and an IAM user that I personally use to sign into the console & do dev stuff. is this not ideal?
t

thdxr

01/10/2022, 9:53 PM
If I put my "AWS nerd" hat on - yes it's not ideal. IAM no longer is recommended for humans because they issue long lived credentials and from an organizational perspective it's a bit challenging to control access + define policies centrally. AWS SSO is actually a really good service (rare for AWS lol). You can use it standalone or link it with your SSO provide (I use google workspaces) so people can sign in with the same credentials they use to sign in for everything else. Then they can generate short lived credentials (if they leak they expire within an hour anyway) that are used to assume roles in your various AWS accounts. AWS SSO does a good job hiding this complexity and it feels pretty seamless in most places. One rough area is not all of aws-sdk knows how to refresh tokens from AWS sso yet so there's a small additionally helper you'll need but other than that I love it
I just have to make sure the google workspaces account is locked down, has 2fa, required password rotate, etc and everything else is downstream
s

Sam Hulick

01/10/2022, 9:56 PM
wow, sounds pretty good! so with SSO, I won’t need an IAM user?
SSO will log me into the console
t

thdxr

01/10/2022, 10:01 PM
That's right - you can define roles in AWS SSO + who has access to assume them. It'll take care of mirroring that role in each aws account and allowing you to assume it
c

Carlos Daniel

01/10/2022, 11:36 PM
I’ve used SSO too, it really makes sense improving the security with temporary keys
c

Chad (cysense)

01/11/2022, 4:38 AM
+1 for using SSO. Definitely the recommended approach from a security/best practices/usability perspective
s

Sam Hulick

01/11/2022, 5:14 AM
cool! I’ll look into it tomorrow. I found on AWS blog post on hooking up SSO with Google Workspace
I just set up AWS SSO w/ Google. man, so much easier now! no need to plug in my Yubikey every day to log in 😄
c

Carlos Daniel

01/19/2022, 4:31 PM
oh really? i will search that for sure
c

Carlos Daniel

01/19/2022, 4:31 PM
can you send the blog post you mentioned on the other day?
s

Sam Hulick

01/19/2022, 4:31 PM
super easy
c

Carlos Daniel

01/19/2022, 4:31 PM
ah thanks
2 Views