How to implement ConsoleMe

2022.04.12

한국어 버전

Hello, my name is Paige, a frontend developer working at the Pinkfong Company. I would like to share some information after implementing ConsoleMe.

As the scale of our services and development team grows larger, our company needs to implement the program that could manage the access and roles of each developer. Currently, our development team has excessive access to our Amazon Web Services (AWS).

ConsoleMe is a web service that makes AWS IAM permissions and credential management easier for end-users and cloud administrators. We decided to proceed with using ConsoleMe as the solution.

Using ConsoleMe, you can achieves the followings:

• consolidating the management of multiple accounts into a single web interface.
• allowing end-users and administrators to get credentials and console access to your onboarded accounts based on their authorization level.
• providing mechanisms for end-users and administrators to request and manage permissions for IAM roles, S3 buckets, SQS queues, SNS topics, and more.
• surfacing a powerful self-service wizard which empowers users to express their high-level intent and request the permissions right for them

ConsoleMe can be set up in two different ways:

Docker, Local.

Today, I will walk you through the Local set up of ConsoleMe. But before that, you will need the following:

• A machine running Ubuntu 19.04+ with root access.
• Active and working package manager subscription to install packages
• Storage requirement: 2GB of disk space
• An AWS user/role for ConsoleMe service with appropriate permissions

First, you can start use an IAM user and can be switched to an IAM role at the end. IAM role is the best way to use ConsoleMe per Curtis.

1. Install all the dependencies and related software/tools

2. Clone the ConsoleMe repo.

We used /home/service/consoleme directory to install ConsoleMe. If you prefer to use different location, please make the necessary changes in the commands below.

vi /home/service/consoleme

3. Start Redis and DynamoDB containers

• You will see that the containers are up and running

cd /home/service/consoleme

4. Configure AWS

• For the initial set up, ConsoleMe recommends making an IAM user and then delete it afterwards when you do not need it. Use AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY that were issued when you made the initial IAM user.

cd /home/service/consoleme

5. Make a virtual environment and run the installation script

6. Run ConsoleMe in the background (optional)

File /usr/bin/consoleme_start.sh

File /etc/systemd/system/consoleme.service

Assign executable permissions to

Enable and start the service

cd /home/service/consoleme

7. Run Celery (optional)

• In order to listen to any changes on the Dynamic Configuration, Celery should be running. If you use Docker, Celery will be running due to its’ command. However, if you use local, you should put the following command on your ConsoleMe directory

cd /home/service/consoleme

If you want Celery to run in the background, you can add this to File /usr/bin/consoleme_start.sh

Now, you will be able to see the ConsoleMe web UI!

8. Set up ConsoleMe configuration. You can use specific config file example depending on how you would like to set up.

ConsoleMe will attempt to load a configuration in the following order:

1.CONFIG_LOCATION environment variable

2.consoleme.yaml in the current working directory

3. ~/.config/consoleme/config.yaml

4. /etc/consoleme/config/config.yaml

• We used this location to set up our Configuration

5. example_config/example_config_development.yaml

Tips for static configuration

Slack

• You can add Slack to get the notifications when policy requests are created on your static configuration.

• You can click the title to go to the specific request url in order to approve or check what has been requested.
• After deployment, please change this url on static configuration to your production environment.

• Also, if you set up Sending email through SES, email will be now attached the correct policy request/approval link.

Sentry

• You can also add Sentry to get notifications for issues.

Redis/S3

• Redis is used to cache data, but you can also use S3 bucket as a backup. After creating an S3 bucket, please add the following on your static configuration and add an inline policy on your central account under consoleme_s3_bucket configuration key.

Group Mapping

• In order to do group mapping, you can use the following authorized_group_tags on your static configuration.

• consoleme-authorized-groups-for-credentials should be attached to the spoken account’s role tag. You can use either group/user for its value.
• consoleme-authorized-groups-for-credentials is a default key name, but you can definitely customize or change it to your preference.
• After being attached to a role tag, there is a chance that it does not get caught immediately. You can set up Event Bridge, it will take 2–3 minutes.

Dynamic Configuration

• You can use Dynamic Configuration to set the group mapping instead of role tag, but role tag should be used as the priority.

• You should put an admin email on can_edit_config key in order to have access to your ConsoleMe web UI.

9. ALB Auth (Recommended)

• We used Google for login and retrieved Google groups as well.
• For Google OAuth, please add the following on your Authorized redirect URIs.

• After login is successful, you can try to retrieve Google Groups by following the documentation. You also need to update your static configuration file as below.
• I added service account keys in a new file named as googleServiceAccountKeys.yaml and extended it on my header_auth.yaml. Also, you need to update your auth and get_user_by_aws_alb_auth_settings to retrieve groups from google.

• You can check consoleme_auth cookie at jwt.io to decode JWT and validate your group information as seen by ConsoleMe.

Create a role

• You can create a role from the scratch.

Create a role using an existing role

• You can choose what to clone from an existing role.

• After you requested, you can check your requests at theAll Policy Requests tab.

Sign-In AWS

• Now you can sign in to AWS using a role with the access that you requested and had gotten approved.

How to convert an initial IAM user to an IAM role for Central Account

1. After you create your ConsoleMe Central role, you’ll need to attach it to your EC2 instances as an Instance Profile.

Attach or replace an EC2 instance profile

• EC2 instance will serve the role’s credentials via the instance metadata service. When ConsoleMe runs, the AWS SDK (Boto3) will look for credentials in the following order.

Working with AWS Credentials

• If it finds the credentials as environment variables, it will try to use those first. Therefore, the AWS environment variables(AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) that we set up earlier should be deleted.
• If it doesn’t find those environment variables, eventually it will reach Instance profile credentials, which essentially means it will try to curl 169.254.169.254 (instance metadata service) for credentials

2. If you deployed at EC2 like us, you should also enable IMDSv2 on the instance.

Configure the instance metadata options

References:

About

Netflix's ConsoleMe local installation on Linux machine - Kernel Talks

And a special mention to Mr. Curtis Castrapel who is an author of ConsoleMe as a former Netflix Senior Cloud Security Software Engineer and has now started his own a startup solving cloud security problems. While we were having troubles setting up ConsoleMe locally in EC2 instance and to finding out the best practices of using ConsoleMe, we came across the official Discord channel of ConsoleMe. I ended up asking a question on the Discord channel. Curtis promptly provided a solution for us and also gave his time to talk to me about our various questions about ConsoleMe.