Custom AWS SSM policy for ssm start-session - amazon-ecs

How do I write a policy for ssm start-session with a custom session ID, which tells the username, who started the session.
I am following this https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html but not sure where to give the customization for user details in the session ID.
Current session ID are like this for example : botocore-session-16685453943-0aa60a4d74bb63458f

Related

Creating Service Principle for a specific Azure user

In the quickstart it talks about creating a service principle for the current user. I want to have more of a hierarchical security structure. I would be the current user and I want to have "super-user" or admin rights to this key vault. However I have created another user that would have lower access rights. For both of these scenarios I gather I need to generate a unique service principle name. How do I generate a service principle name for an arbitrary Azure User?
You can just create another service principal name under your current account for this created user. And you just need to assign the lower access rights to the key vault for this service principal. Then the user can access to the key vault with this service principal which has lower access permission.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. You can create as many as service principals as you want for different access permissions. If you want to generate a service principal under the created user account, you might have to login as this created user. Otherwise, i am afraid it cannot be done.
You can also set the access permission for this user to this key vault directory without using service principal. See here
az keyvault set-policy --name keyVaultName --object-id userObjectId --secret-permissions permissions --key-permissions permissions
You can get the user's Object id with below command: See here
az ad user show --id <email-address-of-user>

What is the Significance of "Session Token" in AWS temporary credentials?

I am using AWS temporary credentials obtained in exchange from the Cognito Id token.
The temporary credentials contains Access Key,Secret Key and Session Token.
What is the significance of "Session Token" here and where it can be used?
Looks like it is just used by AWS to validate the credentials:
When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials.

How do I set up username/password authentication with Hashicorp Vault

I'm just trying out the new Vault UI. I'd like to be able to log in with a username and password. How do I create a new user from the command line so I can log in with a username and password?
Create a new user like so:
vault write auth/userpass/users/<username> policies=default password=<passwd>
You have to be authenticated as root (or another user with sufficient permissions) and have enabled the userpass auth method.

AD Service Principal for Azure Container Registry from Azure Batch container configuration?

I am trying to use Docker images from an Azure Container Registry as tasks in Azure Batch. In the Docker CLI, I can authenticate to the ACR using an Active Directory Service Principal's credentials, with the application ID as the username and the key as the password, as per the ACR documentation.
When I attempt to use the web portal to manually enter those credentials in the a new pool VM container registry settings, I receive the following error on submission:
The value provided for one of the properties in the request body is invalid.
The maximum length of user name that can be specified on a containerRegistry is 20
If I use the AzureRm.Batch Powershell module cmdlets, the pool is created however the containerRegistry and containerImages properties are null.
Can this AD SP authentication method be used with Azure Batch VM container registration configuration? Do I need to use a specific SDK to accomplish this?
This was fixed on March 16th, 2018.

Can values passed in as parameters be retrieved from CloudFormation for other uses?

I have Windows user account credentials passed in as parameters in a CloudFormation template. Using SSM/EC2Config I will need to execute commands on my instances associated with this template, but since only one specific user account on Windows has been granted access to resources I need, I need to specify these same credentials when I execute my Powershell commands via SSM (as just running as Administrator will not have the proper access).
The commands will be run later, not at instance launch. Is there any way for me to grab these credentials from CloudFormation? Or any other way to achieve this or something similar?
As long as the parameters in question do not have the NoEcho property explicitly set to true (it defaults to false), then you can retrieve the parameter values using the describe-stacks call from any of the various tools (e.g. AWS API, CLI, or SDK of your choice). If NoEcho is set to true, you won't be able to retrieve those parameter values.
To run the command, you will need to either run it from an instance that's running with an IAM role / instance profile which has the correct permissions to call describe-stacks, or the tool has been configured with AWS security credentials (i.e. Access Key Id and Secret Access Key) that have permission.
AWS CLI examples:
aws cloudformation describe-stacks --region <region> --stack-name <stack-name>
By default, you'll notice the parameters are embeded in a JSON response, along with a bunch of other information about the stack. To be more useful in scripting, you could use a JMESPath query to narrow down the data returned to just the parameter's value:
aws cloudformation describe-stacks --region <region> --stack-name <stack-name> --query 'Stacks[*].Parameters[?ParameterKey == `<parameter-name>`].ParameterValue' --output text