aws

package

v0.0.0-...-d7c0cb0 Latest Latest Go to latest Published: Jul 22, 2019 License: MPL-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

README ¶

AWS Module

This module creates, deletes, and resets users from aws accounts based on LDAP groups, and sent notifications to newly created users with their temporary password.

Important note: because notifications contain passwords, this module requires users to have a PGP public key uploaded on gpg.mozilla.org, and its fingerprint publishes in LDAP.

The target aws account is defined by an access key and a secret key in the credentials section of the module configuration.

modules:
    - name: aws
      credentials:
          accesskey: AKIAnnnn
          secretkey: YOLOMAN

Alternatively, you can leave these parameters blank and set the credentials in the environment of the user running userplex. More info on the AWS blog.

IAM Groups

You need at least one IAM group to store the users managed by userplex. Call it ldapmanaged, for example, and configure userplex as follows:

modules:
    - name: aws
      ldapgroups:
        - sysadmins
      create: true
      delete: true
      reset: true
      parameters:
          iamgroups:
            - ldapmanaged

userplex will create all the users present in the sysadmins ldap group and add them into the ldapmanaged aws iam group. This allows userplex to later remove users from the ldapmanaged group that have been removed from ldap, and delete their aws account.

One-off Reset

AWS user accounts can be reset by passing their comma separated LDAP uids to the -reset userplex command line flag. Reset supports multiple comma separated LDAP users and resets each user's password, removes their access keys, and creates a fresh access key (if CreateAccessKey is true).

Example: userplex -reset foo,bar

Access key creation

This module can create an access key when a user is created. The access key will be sent to the user in the body of the encrypted notification. To activate this feature, set createaccesskey: true in the configuration parameters.

modules:
    - name: aws
      parameters:
          createaccesskey: true

Notifications

This module supports standard userplex notifications. When notifications are enabled, users are required to have a pgp fingerprint in LDAP because the notification body contains credentials that must be encrypted.

The name of the AWS account is also needed to point users to the location of the AWS console.

modules:
    - name: aws
      notify:
        mode: smtp
        recipient: "{ldap:mail}"
      parameters:
          accountname: cloudservices-aws-dev

Notifications are sent on creation and reset of user accounts. No notification is sent on deletion of an account.

The notification contains a username, a temporary password which must be changed at first connection, a signin URL and a pair of API access/secret keys.

Because it contains secrets, the notification is required to be encrypted with the public PGP key of the user (see main userplex documentation).

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

aws.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL