Merge of my AssumeRole branch, and some other forks (#24)

* If defined, use IAM AssumeRole to fetch users and ssh keys from another AWS account

* Untested: Fold the ability to use IAM AssumeRole in the showcase CF template

* Import only specified IAM groups

While trying to implement this feature looking at the many forks,
I decided to mix the various implementations into something for
ourselves.

Split up the script in functions
Created some meaningfull global variables

* Change variable name so its the same as in the import_users.sh. Use read -r

* Restore ability to import all users by leaving IAM_AUTHORIZED_GROUPS empty

* Restore ability to specify an IAM group that should be added to sudo

* Add assumerole to install.sh

* Document how to setup cross account access

* Use same markdown style as the README.md

* Default to import all IAM users and update install.sh to explain how to limit the IAM groups to import

* Make the LOCAL_GROUPS optional and document in install.sh

* Handle iam users with a dash in the name

* Remove users no longer in the IAM groups we give access to the instance

* Handle the situation where a user is in more then one IAM group we want to sync

* use full path to usermod binary

* some more absolute paths to binaries that are normally not in the $PATH of cron

* And use absolute path to groupadd as well since cron could not find it

* fix typo

* Allow usernames with a dash. Thanks for spotting this one @malytic

* When checking the ssh key, make sure we transform the "save" username back to the original IAM "unsave" username. Fixes upstream issue #27

Author: mvanbaak

authorized_keys_command.sh

@@ -4,12 +4,32 @@ if [ -z "$1" ]; then
   exit 1
 fi
 
+# Assume a role before contacting AWS IAM to get users and keys.
+# This can be used if you define your users in one AWS account, while the EC2
+# instance you use this script runs in another.
+ASSUMEROLE=""
+
+if [[ ! -z "${ASSUMEROLE}" ]]
+then
+  STSCredentials=$(aws sts assume-role \
+    --role-arn "${ASSUMEROLE}" \
+    --role-session-name something \
+    --query '[Credentials.SessionToken,Credentials.AccessKeyId,Credentials.SecretAccessKey]' \
+    --output text)
+
+  AWS_ACCESS_KEY_ID=$(echo "${STSCredentials}" | awk '{print $2}')
+  AWS_SECRET_ACCESS_KEY=$(echo "${STSCredentials}" | awk '{print $3}')
+  AWS_SESSION_TOKEN=$(echo "${STSCredentials}" | awk '{print $1}')
+  AWS_SECURITY_TOKEN=$(echo "${STSCredentials}" | awk '{print $1}')
+  export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
+fi
+
 UnsaveUserName="$1"
 UnsaveUserName=${UnsaveUserName//".plus."/"+"}
 UnsaveUserName=${UnsaveUserName//".equal."/"="}
 UnsaveUserName=${UnsaveUserName//".comma."/","}
 UnsaveUserName=${UnsaveUserName//".at."/"@"}
 
-aws iam list-ssh-public-keys --user-name "$UnsaveUserName" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read KeyId; do
+aws iam list-ssh-public-keys --user-name "$UnsaveUserName" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read -r KeyId; do
   aws iam get-ssh-public-key --user-name "$UnsaveUserName" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text
 done

docs/multiawsaccount.md

@@ -0,0 +1,25 @@
+# Use multiple AWS accounts
+
+If you are using multiple AWS accounts (as you should be, read the best practices)
+you probably have one account with all the IAM users, and are using seperate accounts for
+your environments.
+Support for this is provided using the AssumeRole functionality in AWS.
+
+## Setup IAM account with the IAM users
+
+ * Create a new role with type 'Role for Cross-Account Access'
+   and select the option 'Provide access between AWS accounts you own'
+ * Put the first 'ec2' account number in 'Account ID' and leave
+   'Require MFA' unchecked
+ * Skip attaching a policy (we will create our own later)
+ * Review the new role and create it
+
+Now we have to provide the correct access to this role.
+You can use the `iam_ssh_policy.json` as provided in the root of this repository
+
+
+## Setup IAM account with the ec2 instances
+
+The EC2 role you use for launching the EC2 instances should have the policy
+as listed in `iam_crossaccount_policy.json` file. Replace the account id and role name
+in that file with the account id and role you created in the steps above.

iam_crossaccount_policy.json

@@ -0,0 +1,8 @@
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "sts:AssumeRole",
+        "Resource": "arn:aws:iam::<IAM ACCOUNT ID WITH IAM USERS>:role/<ROLE WITH IAM ACCESS>"
+    }
+}

import_users.sh

@@ -1,33 +1,167 @@
 #!/bin/bash
 
+# Which IAM groups have access to this instance
+# Comma seperated list of IAM groups. Leave empty for all available IAM users
+IAM_AUTHORIZED_GROUPS=""
+
+# Special group to mark users as being synced by our script
+LOCAL_MARKER_GROUP="iam-synced-users"
+
+# Give the users these local UNIX groups
+LOCAL_GROUPS=""
+
 # Specify an IAM group for users who should be given sudo privileges, or leave
 # empty to not change sudo access, or give it the value '##ALL##' to have all
 # users be given sudo rights.
-SudoersGroup=""
-[[ -z "${SudoersGroup}" ]] || [[ "${SudoersGroup}" == "##ALL##" ]] || Sudoers=$(
-  aws iam get-group --group-name "${SudoersGroup}" --query "Users[].[UserName]" --output text
-);
-
-aws iam list-users --query "Users[].[UserName]" --output text | while read User; do
-  SaveUserName="$User"
-  SaveUserName=${SaveUserName//"+"/".plus."}
-  SaveUserName=${SaveUserName//"="/".equal."}
-  SaveUserName=${SaveUserName//","/".comma."}
-  SaveUserName=${SaveUserName//"@"/".at."}
-  if ! grep "^$SaveUserName:" /etc/passwd > /dev/null; then
-    /usr/sbin/useradd --create-home --shell /bin/bash "$SaveUserName"
-  fi
-
-  if [[ ! -z "${SudoersGroup}" ]]; then
-    # sudo will read each file in /etc/sudoers.d, skipping file names that end
-    # in ‘~’ or contain a ‘.’ character to avoid causing problems with package
-    # manager or editor temporary/backup files.
-    SaveUserFileName=$(echo "$SaveUserName" | tr "." " ")
-    SaveUserSudoFilePath="/etc/sudoers.d/$SaveUserFileName"
-    if [[ "${SudoersGroup}" == "##ALL##" ]] || echo "$Sudoers" | grep "^$User\$" > /dev/null; then
-      echo "$SaveUserName ALL=(ALL) NOPASSWD:ALL" > "$SaveUserSudoFilePath"
+SUDOERSGROUP=""
+
+# Assume a role before contacting AWS IAM to get users and keys.
+# This can be used if you define your users in one AWS account, while the EC2
+# instance you use this script runs in another.
+ASSUMEROLE=""
+
+function setup_aws_credentials() {
+    local stscredentials
+    if [[ ! -z "${ASSUMEROLE}" ]]
+    then
+        stscredentials=$(aws sts assume-role \
+            --role-arn "${ASSUMEROLE}" \
+            --role-session-name something \
+            --query '[Credentials.SessionToken,Credentials.AccessKeyId,Credentials.SecretAccessKey]' \
+            --output text)
+
+        AWS_ACCESS_KEY_ID=$(echo "${stscredentials}" | awk '{print $2}')
+        AWS_SECRET_ACCESS_KEY=$(echo "${stscredentials}" | awk '{print $3}')
+        AWS_SESSION_TOKEN=$(echo "${stscredentials}" | awk '{print $1}')
+        AWS_SECURITY_TOKEN=$(echo "${stscredentials}" | awk '{print $1}')
+        export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
+    fi
+}
+
+# Get all IAM users (optionally limited by IAM groups)
+function get_iam_users() {
+    local group
+    if [ -z "${IAM_AUTHORIZED_GROUPS}" ]
+    then
+        aws iam list-users \
+            --query "Users[].[UserName]" \
+            --output text \
+        | sed "s/\r//g"
     else
-      [[ ! -f "$SaveUserSudoFilePath" ]] || rm "$SaveUserSudoFilePath"
+        for group in $(echo ${IAM_AUTHORIZED_GROUPS} | tr "," " "); do
+            aws iam get-group \
+                --group-name "${group}" \
+                --query "Users[].[UserName]" \
+                --output text \
+            | sed "s/\r//g"
+        done
     fi
-  fi
-done
+}
+
+# Get previously synced users
+function get_local_users() {
+    /usr/bin/getent group ${LOCAL_MARKER_GROUP} \
+        | cut -d : -f4- \
+        | sed "s/,/ /g"
+}
+
+function get_sudoers_users() {
+    [[ -z "${SUDOERSGROUP}" ]] || [[ "${SUDOERSGROUP}" == "##ALL##" ]] ||
+        aws iam get-group \
+            --group-name "${SUDOERSGROUP}" \
+            --query "Users[].[UserName]" \
+            --output text
+}
+
+# Create or update a local user based on info from the IAM group
+function create_or_update_local_user() {
+    local iamusername
+    local username
+    local sudousers
+    local localusergroups
+
+    iamusername="${1}"
+    username="${2}"
+    sudousers="${3}"
+    localusergroups="${LOCAL_MARKER_GROUP}"
+
+    if [ ! -z "${LOCAL_GROUPS}" ]
+    then
+        localusergroups="${LOCAL_GROUPS},${LOCAL_MARKER_GROUP}"
+    fi
+
+    id "${username}" >/dev/null 2>&1 \
+        || /usr/sbin/useradd --create-home --shell /bin/bash "${username}" \
+        && /bin/chown -R "${username}:${username}" "/home/${username}"
+    /usr/sbin/usermod -G "${localusergroups}" "${username}"
+
+    # Should we add this user to sudo ?
+    if [[ ! -z "${SUDOERSGROUP}" ]]
+    then
+        SaveUserFileName=$(echo "${username}" | tr "." " ")
+        SaveUserSudoFilePath="/etc/sudoers.d/$SaveUserFileName"
+        if [[ "${SUDOERSGROUP}" == "##ALL##" ]] || echo "${sudousers}" | grep "^${iamusername}\$" > /dev/null
+        then
+            echo "${SaveUserName} ALL=(ALL) NOPASSWD:ALL" > "${SaveUserSudoFilePath}"
+        else
+            [[ ! -f "${SaveUserSudoFilePath}" ]] || rm "${SaveUserSudoFilePath}"
+        fi
+    fi
+}
+
+function delete_local_user() {
+    /usr/sbin/usermod -L -s /sbin/nologin "${1}"
+    /usr/bin/pkill -KILL -u "${1}"
+    /usr/sbin/userdel -r "${1}"
+}
+
+function clean_iam_username() {
+    local clean_username="${1}"
+    clean_username=${clean_username//"+"/".plus."}
+    clean_username=${clean_username//"="/".equal."}
+    clean_username=${clean_username//","/".comma."}
+    clean_username=${clean_username//"@"/".at."}
+    echo "${clean_username}"
+}
+
+function sync_accounts() {
+    if [ -z "${LOCAL_MARKER_GROUP}" ]
+    then
+        echo "Please specify a local group to mark imported users. eg iam-synced-users"
+        exit 1
+    fi
+
+    # Check if local marker group exists, if not, create it
+    /usr/bin/getent group "${LOCAL_MARKER_GROUP}" >/dev/null 2>&1 || /usr/sbin/groupadd "${LOCAL_MARKER_GROUP}"
+
+    # setup the aws credentials if needed
+    setup_aws_credentials
+
+    # declare and set some variables
+    local iam_users
+    local sudo_users
+    local local_users
+    local intersection
+    local removed_users
+    local user
+
+    iam_users=$(get_iam_users | sort | uniq)
+    sudo_users=$(get_sudoers_users | sort | uniq)
+    local_users=$(get_local_users | sort | uniq)
+
+    intersection=$(echo ${local_users} ${iam_users} | tr " " "\n" | sort | uniq -D | uniq)
+    removed_users=$(echo ${local_users} ${intersection} | tr " " "\n" | sort | uniq -u)
+
+    # Add or update the users found in IAM
+    for user in ${iam_users}; do
+        SaveUserName=$(clean_iam_username "${user}")
+        create_or_update_local_user "${user}" "${SaveUserName}" "$sudo_users"
+    done
+
+    # Remove users no longer in the IAM group(s)
+    for user in ${removed_users}; do
+        delete_local_user "${user}"
+    done
+}
+
+sync_accounts

install.sh

@@ -1,23 +1,40 @@
 #!/bin/bash
 
-tmpdir=`mktemp -d`
+tmpdir=$(mktemp -d)
 
-cd $tmpdir
+cd "${tmpdir}" || exit 1
 
 # yum install -y git # if necessary
 # or download a tarball and decompress it instead
 git clone https://github.com/widdix/aws-ec2-ssh.git
 
-cd $tmpdir/aws-ec2-ssh
+cd "${tmpdir}/aws-ec2-ssh" || exit 1
 
 cp authorized_keys_command.sh /opt/authorized_keys_command.sh
 cp import_users.sh /opt/import_users.sh
 
+# To control which users are imported/synced, uncomment the line below
+# changing GROUPNAMES to a comma seperated list of IAM groups you want to sync.
+# You can specify 1 or more groups, comma seperated, without spaces.
+# If you leave it blank, all IAM users will be synced.
+#sudo sed -i 's/IAM_AUTHORIZED_GROUPS=""/IAM_AUTHORIZED_GROUPS="GROUPNAMES"/' /opt/import_users.sh
+
 # To control which users are given sudo privileges, uncomment the line below
 # changing GROUPNAME to either the name of the IAM group for sudo users, or
 # to ##ALL## to give all users sudo access. If you leave it blank, no users will
 # be given sudo access.
-#sudo sed -i 's/SudoersGroup=""/SudoersGroup="GROUPNAME"/' /opt/import_users.sh
+#sudo sed -i 's/SUDOERSGROUP=""/SUDOERSGROUP="GROUPNAME"/' /opt/import_users.sh
+
+# To control which local groups a user will get, uncomment the line belong
+# changing GROUPNAMES to a comma seperated list of local UNIX groups.
+# If you live it blank, this setting will be ignored
+#sudo sed -i 's/LOCAL_GROUPS=""/LOCAL_GROUPS="GROUPNAMES"/' /opt/import_users.sh
+
+# If your IAM users are in another AWS account, put the AssumeRole ARN here.
+# replace the word ASSUMEROLEARN with the full arn. eg 'arn:aws:iam::$accountid:role/$role'
+# See docs/multiawsaccount.md on how to make this work
+#sudo sed -i 's/ASSUMEROLE=""/ASSUMEROLE="ASSUMEROLEARN"/' /opt/import_users.sh
+#sudo sed -i 's/ASSUMEROLE=""/ASSUMEROLE="ASSUMEROLEARN"/' /opt/authorized_keys_command.sh
 
 sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand /opt/authorized_keys_command.sh:g' /etc/ssh/sshd_config
 sed -i 's:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config