Lately, I've been interested in how third party vendors can best authenticateinto their customers' cloud accounts. The status quo in AWS is usually role assumptionfrom the vendor's account to the customers', but what about GCP and Azure? CanOIDC be used to authenticate into all three clouds in approximately the same way?I think the answer is yes, and this blog post aims to show how to do so.| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
| Aidan Steele's blog (usually about AWS)
Here's my seventh or eighth attempt at a blog. It's mostly going to be my experimentation with using AWS (Amazon Web Services, not Aidan William Steele).| awsteele.com
Back in November last year, I wished for the ability to filter CloudTrail data events by the requesting principal’s ARN. Two days later, my wish was almost granted: CloudTrail launched the ability to filter on userIdentity.arn for CloudTrail lakes but not trails. And now it seems my wish has almost completely come true: the functionality has rolled out to trails as well.| Aidan Steele’s blog (usually about AWS)
GitHub Actions has supported using OIDC tokens for about 15 months now. It is a much better way of providing AWS credentials to workflows than creating IAM users and storing long-lived access keys in GitHub Actions secrets.| Aidan Steele’s blog (usually about AWS)
There are several ways that CloudFront can be configured with an S3 origin. There are functionality differences between them, but the focus in this blog post is how activity is represented in CloudTrail, specifically the differences in S3 data-level events for each CloudFront option. Those options in CloudFront are (in decreasing order of desirability):| Aidan Steele’s blog (usually about AWS)
AWS re:Invent 2024 is fast approaching and there’s usually a flurry of exciting new services and features for existing services launched around this time each year. I’ll be there in person this year - come say hello if you are too!| Aidan Steele’s blog (usually about AWS)
Credentials for AWS IAM role sessions are short-lived. By default, they last for one hour. When calling AssumeRole you can request a different duration by passing a value between 900 (15 minutes) and 43200 (12 hours) in the DurationSeconds parameter. Note that this API call will fail if you request a session duration longer than is configured on the role itself (in the “max sesson duration” property). These credentials can be used by the AWS CLI and AWS SDKs.| Aidan Steele’s blog (usually about AWS)
Imagine you have a scenario represented in the following diagram:| Aidan Steele’s blog (usually about AWS)
tl;dr| Aidan Steele’s blog (usually about AWS)
AWS CloudShell got a new capability in January 2024: running Docker containers. This piqued my curiosity because Docker-in-Docker usually implies privileged containers, and I have previously used that to escape CodeBuild onto the parent EC2 instance. I wanted to know if the same could be done in CloudShell - and how its AWS credential system worked (the environment inherits the user’s credentials, unlike CodeBuild). The short answer is “it can be done”, and this post goes into a) how to...| Aidan Steele’s blog (usually about AWS)
This article has been in my drafts for 380 days. It’s probably time I published it, before I forget even more details about how it works. ~A few~ 380+ days ago, I published ima.ge.cx. It’s a web frontend for browsing the contents of Docker images. It’s like a less powerful version of dive that doesn’t require you to pull images locally. It’s also worth noting that there’s a much more feature-rich (and likely less buggy) site that does a similar thing: Registry Explorer.| Aidan Steele’s blog (usually about AWS)
The short version: AWS IAM Identity Center exchanges third-party OIDC tokens for Identity Center-issued tokens. Identity Center relies on the jti claim in the third-party tokens to prevent replay attacks. Identity Center maintained a cache of previously-seen jti values for a fixed period (24 hours) and didn’t enforce that the third-party tokens had expiry claims. This meant that a token with a jti claim and without an exp claim could be replayed after >24 hours had passed. AWS now enforces ...| Aidan Steele’s blog (usually about AWS)
A few years ago, I wrote about determining AWS account IDs from AWS access keys, i.e. those strings that begin with AKIA or ASIA. It’s also possible to determine information from other AWS IAM unique IDs, specifically these two from the table in Amazon’s docs.| Aidan Steele’s blog (usually about AWS)