How to implement ConsoleMe
Hello, my name is Paige, a frontend developer working at the Pinkfong Company. I would like to share some information after implementing ConsoleMe.
As the scale of our services and development team grows larger, our company needs to implement the program that could manage the access and roles of each developer. Currently, our development team has excessive access to our Amazon Web Services (AWS).
ConsoleMe is a web service that makes AWS IAM permissions and credential management easier for end-users and cloud administrators. We decided to proceed with using ConsoleMe as the solution.
Using ConsoleMe, you can achieves the followings:
- consolidating the management of multiple accounts into a single web interface.
- allowing end-users and administrators to get credentials and console access to your onboarded accounts based on their authorization level.
- providing mechanisms for end-users and administrators to request and manage permissions for IAM roles, S3 buckets, SQS queues, SNS topics, and more.
- surfacing a powerful self-service wizard which empowers users to express their high-level intent and request the permissions right for them
ConsoleMe can be set up in two different ways:
Today, I will walk you through the Local set up of ConsoleMe. But before that, you will need the following:
- A machine running Ubuntu 19.04+ with root access.
- Active and working package manager subscription to install packages
- Storage requirement: 2GB of disk space
- An AWS user/role for ConsoleMe service with appropriate permissions
First, you can start use an IAM user and can be switched to an IAM role at the end. IAM role is the best way to use ConsoleMe per Curtis.
- Install all the dependencies and related software/tools
2. Clone the ConsoleMe repo.
/home/service/consoleme directory to install ConsoleMe. If you prefer to use different location, please make the necessary changes in the commands below.
3. Start Redis and DynamoDB containers
- You will see that the containers are up and running
4. Configure AWS
- For the initial set up, ConsoleMe recommends making an IAM user and then delete it afterwards when you do not need it. Use
AWS_SECRET_ACCESS_KEYthat were issued when you made the initial IAM user.
5. Make a virtual environment and run the installation script
6. Run ConsoleMe in the background (optional)
Assign executable permissions to
Enable and start the service
7. Run Celery (optional)
- In order to listen to any changes on the
Dynamic Configuration, Celery should be running. If you use Docker, Celery will be running due to its’ command. However, if you use local, you should put the following command on your ConsoleMe directory
If you want Celery to run in the background, you can add this to File
Now, you will be able to see the ConsoleMe web UI!
8. Set up ConsoleMe configuration. You can use specific config file example depending on how you would like to set up.
ConsoleMe will attempt to load a configuration in the following order:
CONFIG_LOCATION environment variable
consoleme.yaml in the current working directory
- We used this location to set up our Configuration
Tips for static configuration
- You can add Slack to get the notifications when policy requests are created on your static configuration.
- You can click the title to go to the specific request url in order to approve or check what has been requested.
- After deployment, please change this url on static configuration to your production environment.
- Also, if you set up
Sending email through SES, email will be now attached the correct policy request/approval link.
- You can also add Sentry to get notifications for issues.
- Redis is used to cache data, but you can also use S3 bucket as a backup. After creating an S3 bucket, please add the following on your static configuration and add an inline policy on your central account under
- In order to do group mapping, you can use the following
authorized_group_tagson your static configuration.
consoleme-authorized-groups-for-credentialsshould be attached to the spoken account’s role tag. You can use either group/user for its value.
consoleme-authorized-groups-for-credentialsis a default key name, but you can definitely customize or change it to your preference.
- After being attached to a role tag, there is a chance that it does not get caught immediately. You can set up Event Bridge, it will take 2–3 minutes.
- You can use Dynamic Configuration to set the group mapping instead of role tag, but role tag should be used as the priority.
- You should put an admin email on
can_edit_configkey in order to have access to your ConsoleMe web UI.
- We used Google for login and retrieved Google groups as well.
- For Google OAuth, please add the following on your
Authorized redirect URIs.
- After login is successful, you can try to retrieve Google Groups by following the documentation. You also need to update your static configuration file as below.
- I added service account keys in a new file named as
googleServiceAccountKeys.yamland extended it on my
header_auth.yaml. Also, you need to update your
get_user_by_aws_alb_auth_settingsto retrieve groups from google.
- You can check
consoleme_authcookie at jwt.io to decode JWT and validate your group information as seen by ConsoleMe.
Create a role
- You can create a role from the scratch.
Create a role using an existing role
- You can choose what to clone from an existing role.
- After you requested, you can check your requests at the
All Policy Requeststab.
- Now you can sign in to AWS using a role with the access that you requested and had gotten approved.
How to convert an initial IAM user to an IAM role for Central Account
- After you create your ConsoleMe Central role, you’ll need to attach it to your EC2 instances as an Instance Profile.
Attach or replace an EC2 instance profile
How do I attach or replace an instance profile on an Amazon Elastic Compute Cloud (Amazon EC2) instance? Follow these…
- EC2 instance will serve the role’s credentials via the instance metadata service. When ConsoleMe runs, the AWS SDK (Boto3) will look for credentials in the following order.
Working with AWS Credentials
To make requests to Amazon Web Services, you must supply AWS credentials to the AWS SDK for Java. You can do this in…
- If it finds the credentials as environment variables, it will try to use those first. Therefore, the AWS environment variables(AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) that we set up earlier should be deleted.
- If it doesn’t find those environment variables, eventually it will reach
Instance profile credentials, which essentially means it will try to curl 169.254.169.254 (instance metadata service) for credentials
2. If you deployed at EC2 like us, you should also enable IMDSv2 on the instance.
Netflix's ConsoleMe local installation on Linux machine - Kernel Talks
ConsoleMe is an open-source web service published by Netflix. It is designed to make life easy for end-users and cloud…
And a special mention to Mr. Curtis Castrapel who is an author of ConsoleMe as a former Netflix Senior Cloud Security Software Engineer and has now started his own a startup solving cloud security problems. While we were having troubles setting up ConsoleMe locally in EC2 instance and to finding out the best practices of using ConsoleMe, we came across the official Discord channel of ConsoleMe. I ended up asking a question on the Discord channel. Curtis promptly provided a solution for us and also gave his time to talk to me about our various questions about ConsoleMe.