Key management is a nightmare. It started with keys everywhere — then we all started sticking our keys, tokens, and break-glass passwords into a vault or password manager and rotating them accordingly.
Storing secrets has become a business — but how do you manage AWS access tokens for your users?
Developers and engineers regularly need access tokens to use the AWS CLI. These tokens are usually permanent, carry escalated privileges, and are stored on the users’ machines. In some cases, bastion hosts are used to store these tokens, but present the same issue when the private key is stored on the user’s local machine.
Enter temporary access tokens.
Providing users temporary tokens eliminates key rotation and reduces the risk of tokens on compromised systems. The biggest drawback to temporary tokens is figuring out how to provision them to your organization and users.
I recently published AWS STS SAML, a chrome extension, which serves as an example for token provisioning. This extension listens for SSO-based logins to the AWS console and generates access tokens based on the user’s assumed role.