AWSããã°ã«ãããšãU2Fã¯ã³ã³ãœãŒã«ãã°ã€ã³ã§ãµããŒããããããã«ãªããŸããã
https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/
aws-cliã§ããããµããŒããããã¹ãããããšãç¹ã«éèŠã§ããããã«ããããã£ã¹ã¯/ã¡ã¢ãªã«é·æéæå¹ãªããŒã¯ã³ã眮ã代ããã«ãã¿ããããŠã³ãã³ããå®è¡ã§ããŸãã
AFAIKãU2Fã¯éåžžãWebãã©ãŠã¶ã§ã®ã¿æ©èœããŸãã CLIããã©ã®ããã«äœ¿çšããããšæããŸããïŒ ãã©ãŠã¶ãèµ·åããŸããïŒ
@JensRantilããããããããçš®é¡ã®ã¢ããªã±ãŒã·ã§ã³ãU2FããŒã¯ã³ãšå¯Ÿè©±ã§ããŸãã
åºå
žïŒDebianã§libu2f-*
ãšpam-u2f
ãç¶æããŠããŸã;ïŒ
U2Fã¯APIã¢ã¯ã»ã¹ã§ãŸã ããªããã
U2Fã»ãã¥ãªãã£ããŒã§MFAã§ä¿è·ãããAPIã¢ã¯ã»ã¹ã䜿çšããããšã¯ã§ããŸããã
ããã¯èšã£ãŠããç§ã¯ééããªããã®ãã£ãŒãããã¯ããµãŒãã¹ããŒã ã«äŒããŸããã ç§èªèº«ã®çµéšã§ã¯ãU2Fã¯ä»ã®ã©ã®2çªç®ã®èŠçŽ ããã100000å䜿ããããã®ã§ãç§èªèº«ã®äœ¿çšã§ãèŠãããšæã£ãŠããŸãã
1ã€ã®æ³šæç¹ã¯ãu2fããŒã¯ã³ãšå¯Ÿè©±ããããã«cã®äŸåé¢ä¿ãååŸããå¿ èŠããããšç¢ºä¿¡ããŠãããããããã¯V2æ©èœã§ããå¿ èŠããããšããããšã§ãã
@JordonPhillipsåèãŸã§ã«ãYubicoã®PythonU2Fãã¹ãã©ã€ãã©ãªããããŸãã ããèªäœã¯100ïŒ
Pythonã§ãããIIRCãlibusb
ãšlibudev
䜿çšããhidapi
ã«äŸåããŠããŸãã
OTOHãããã¯ãã§ã«ãã¹ãŠã®äž»èŠãªãã£ã¹ããªãã¥ãŒã·ã§ã³ã§å©çšå¯èœã§ããããã§ããã¯å€§ããããšã§ã¯ãªãã¯ãã§ããïŒ
ãŸããïŒU2Fã®äœ¿çšãšåæ§ã«ïŒãŠãŒã¶ãŒãU2Fããã€ã¹ãšå¯Ÿè©±ã§ããå¿
èŠããããŸãã Yubicoã¯udevã«ãŒã«ãlibu2f-host
ã§ã¢ããã¹ããªãŒã ã«ç¶æããŠããŸããããã¯ãDebianã§libu2f-udev
ãšããŠåºè·ããŸããïŒCã©ã€ãã©ãªããã«ããã«ã€ã³ã¹ããŒã«ã§ããããã«ïŒãããã¯task-desktop
äŸåé¢ä¿ã§ãã ïŒDebian 10ã®ããã¹ã¿ãŒã以éïŒãã»ãšãã©ã®ãŠãŒã¶ãŒã¯ç®±ããåºããŠã€ã³ã¹ããŒã«ã§ããŸãã ã¹ãã¬ããïŒçŸåšã®Debianå®å®çïŒã§ã¯ãU2Fã®udevã«ãŒã«ãudev
ããã±ãŒãžã§åºè·ããã®ã§ãããã§ãå©çšã§ããŸãã
TL; DRïŒDebianã¯ãžã§ã·ãŒä»¥éïŒ1幎以äžåã«ãªãªãŒã¹ãããïŒã®U2Fããã€ã¹ã«å¯Ÿããé©åãªæš©éãæã£ãŠããå¿
èŠãããããã¹ãŠã®Debian掟çç©ãïŒU2Fãå£ãããã«éªéã«ãªããªãéã...ïŒ
ããã¯ç§ã«ãšã£ãŠéåžžã«åœ¹ã«ç«ã¡ãŸãã TOTPãã³ããŒããããã«1æ¥ã«10ã20åé»è©±ãåºãã®ã¯ã楜ããããšã§ã¯ãããŸããã ð 代ããã«Yubikeyãã¿ããããããšãã§ããã°ãaws-cliã®ãšã¯ã¹ããªãšã³ã¹ã¯ã¯ããã«å¿«é©ã«ãªããŸãã
@nbraud圌ãã䜿çšããŠããPythonã€ã³ã¿ãŒãã§ãŒã¹ã¯Linuxãã€ãŒã«ãæäŸããŠããªãããã«èŠããã®ã§ããããã€ã³ã¹ããŒã«ããã«ã¯ããŠãŒã¶ãŒãã³ã³ãã€ã©ãŒãã€ã³ã¹ããŒã«ããŠããå¿ èŠããããŸãã ããã¯çŸåšãCLIãã€ã³ã¹ããŒã«ããããã®èŠä»¶ã§ã¯ãªãããããã®ã©ã€ãã©ãªãè¿œå ããããšã¯ãå€ãã®ãŠãŒã¶ãŒã«ãšã£ãŠé倧ãªå€æŽã«ãªããŸãã
@JordonPhillipsç»æçãªå€æŽã®å°å ¥ã«ã€ããŠ...ç±ççãªãŠãŒã¶ãŒããããŸãåéºçã§ãªããŠãŒã¶ãŒã®ããã«ç©äºãå£ãããšãªããããããæ©æã«å©çãåŸãããšãã§ããããã€ãã®ã¢ãããŒããæ³åã§ããŸãã
ãããv1ã®ãªãã·ã§ã³ã®äŸåé¢ä¿ã«ãããšãæ¬åœã«æ°ã«ãªã人ã¯ç¹å¥ãªãã©ã°ã䜿çšããŠã³ã³ãã€ã«ããŠæå¹ã«ããããšãã§ããŸãã ãã®ããã«ããŠã圌ãã¯æçµçã«ããã©ã«ãã§v2ã¯ã©ã€ã¢ã³ãã®äžéšãšãªããã®ãããã¬ãã¥ãŒãããããšãéžæããŸãã
U2FããŒã¹ãå¥ã®ãã€ããªã«åå²ããå®è¡æã«ãã®ååšãæ€åºããŸãã 次ã«ãU2Fã§AWS CLIã䜿çšããããšãããŠãŒã¶ãŒã¯ããããæ©èœãããããã«ããã®ä»ã®ããŒã«ãã€ã³ã¹ããŒã«ãããããã«æ瀺ãããŸãã ãããã£ãŠãããšãã°Macã®å Žåãç§ã¯è³çŠããbrew install aws-cli-u2f
é¢ããŠããŸãã ð
ããããã®æ©èœãå©çšããããã«ããªãã·ã§ã³ã®ãœãŒã¹ããã³ã³ãã€ã«ããã¢ãžã¥ãŒã«ãã€ã³ã¹ããŒã«ã§ããã°å¹žãã§ãã ããã¯ãéçºè ã®ãã·ã³ã§ã®ã¿å¿ èŠã§ããïŒã»ãšãã©ã®å Žåãæ¢ã«ã³ã³ãã€ã©ãŒãæ¢ã«ååšããŸãïŒããµãŒããŒã§ã¯å¿ èŠãããŸããã
python-U2Fãã¹ãã®ä»£ããã«ãªãã®python-fido2 USBã®HIDãšæ段ã®ããã®Cã©ã€ãã©ãªãå¿ èŠãšããããããªããååŸããããªãã ãã®ã©ã®è¹ãã€ãŒã«æå·åã©ã€ãã©ãªãå¿ èŠãšããŸã...
ç§ã¯ããã®ããã«æ¯ãæ¢ããŸãð
ãã®åé¡ãç解ããŠããéããSTS / IAMã¯ããããé²ããåã«ãMFAããŒã¯ã³ãšããŠã»ãã¥ãªãã£ããŒã®APIãµããŒããååŸããå¿ èŠããããŸããïŒ
ãã®åé¡ãç解ããŠããéããSTS / IAMã¯ããããé²ããåã«ãMFAããŒã¯ã³ãšããŠã»ãã¥ãªãã£ããŒã®APIãµããŒããååŸããå¿ èŠããããŸããïŒ
誰ããããã«å ãåœãŠãããšãã§ããŸããïŒ ç¢ºãã«ããŸã ãµããŒããããŠããªãå Žåã¯ãããããã§ã...ïŒ
ç·šéïŒ
ããã¯ãããŸã圹ã«ç«ããªãããŒãžã§ã³ãå®è£ ããåŸã誰ã䜿çšããªãã£ãããã顧客ãæ©èœãæ°ã«ããªããšäŒæ¥ãæ³å®ãããããªåä»ãªã±ãŒã¹ã®1ã€ã«ãªããªãããã«ããŠãã ããã
Amazonã³ã³ãœãŒã«ãžã®ãã°ã€ã³ã«WebUIã䜿çšããããšã¯ãããŸããã åŠçããå¿
èŠã®ããã¢ã«ãŠã³ããããã€ãããããïŒãªã©ïŒããã¹ãŠCLIäž»å°ã§ãã ãŸããWeb UIã䜿çšããŠãã°ã€ã³ãããšããŠããå€ãGoogle / LastPassã䜿çšããå¿
èŠããããããçŸç¶ã§ã¯ãU2Fã§äœ¿çšããããã«æ¢åã®ãã¹ãŠã®ã¢ã«ãŠã³ãã®_éè€ã¢ã«ãŠã³ã_ãããããåãå¿
èŠããããŸãã /ãã¹ãŠã®aws-cli
ãã®ã®èªèšŒã·ã¹ãã ã
ã€ãŸã... AWSã®U2FãµããŒãã«ã¯ãç§ã_æ¬åœã«_ç±çãããããªãã®ã«ãªãå¯èœæ§ããããŸãããCLIãµããŒãããªããã°ããŸã 觊ãã䟡å€ã¯ãããŸããã ããããã®äººãåãè¹ã«ä¹ã£ãŠãããšæããŸãã
@jeffparsonsã¯ãCLI / SDKçšã®U2FMFAãæ¬åœã«å¿ èŠã§ããããšã«å®å šã«åæããŸãã libusb / python-fidoã¢ãããŒãã¯ãruby / java ect SDKã§ã®å®è¡ã«ããŸã察å¿ããŠããªãããã圌ãã¯æµæããã§ãããã ãã ããã¯ã³ã¿ãããã£ã¬ã³ãžã¬ã¹ãã³ã¹ãåããU2Fã¯ããªãæ®éçã§ãã
ãšããã§ãä»ã®ã¢ã«ãŠã³ãã®åœ¹å²ãåŒãåããããšã§ãWebã³ã³ãœãŒã«ã§ã¢ã«ãŠã³ããéåžžã«ç°¡åã«åãæ¿ããããšãã§ããŸã
ãæ°ã«å
¥ãïŒ
https://signin.aws.amazon.com/switchrole?roleName=SomeAdminRole&account=YourAccountNumberOrAlias
èŠãïŒ
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
次ã«ãããŒãžã®å³äžã«ãããŠãŒã¶ãŒ/ã¢ã«ãŠã³ãã®ããããããŠã³ã«åœ¹å²ã¹ã€ããã£ãŒã衚瀺ãããŸãã
ãŸãããã®ç·ã¯äœãã«åãçµãã§ããå¯èœæ§ããããŸã... https://gist.github.com/woowa-hsw0/caa3340e2a7b390dbde81894f73e379d
ãããéåžžã«åªãããœãªã¥ãŒã·ã§ã³ã§ãhttps://github.com/kreuzwerker/awsu
è€æ°ã®ãã«ãã¢ã«ãŠã³ãèšå®ã䜿çšããŠãããããã¹ãŠã§åãU2Fã䜿çšããåå¥ã®idpã䜿çšãããšãç§ã«ãšã£ãŠã¯åŽåã倧å¹
ã«è»œæžãããŸãã
ãŸããv1ã§ãã¬ãã¥ãŒãšããŠãããååŸããããã«ãè¿œå ã®äŸåé¢ä¿ãã€ã³ã¹ããŒã«/ã³ã³ãã€ã«ããããšã«åé¡ã¯ãããŸããã
ç©äºã®awsåŽã®åé¡ã«é¢ããåãã¯ãããŸããïŒ
ãã®äŸ¡å€ã«ã€ããŠã¯ãaws-vaultã¯U2FãµããŒããžã®ããŒãžã«ããªãè¿ãããã§ãïŒ https ïŒ
ããã¯èšã£ãŠããç§ã¯å ¬åŒã®AWSCLIããŒã«ã«ãã€ãã£ãU2FãµããŒããè¿œå ããããšã«çµ¶å¯Ÿã«è³æã§ãã
ãã®äŸ¡å€ã«ã€ããŠã¯ãaws-vaultã¯U2FãµããŒããžã®ããŒãžã«ããªãè¿ãããã§ãïŒ 99designs / aws-vaultïŒ316
ããããYubikeyã䜿çšããŠTOTPããŒã¯ã³ãäœæããŠããã ãã§ãã ããã¯ãYubikeyã䜿çšã§ããããã«ããåé¿çã§ãããU2Fã§ã¯ãããŸããã
ïŒããã¯awsu
ãšåãããã§ããïŒ
awscli
MFAå
šäœã¯ã»ããã¢ãããé¢åã§ãããyubikeyã®ãµããŒãããªãããšã¯åœ¹ã«ç«ã¡ãŸããã
2019幎ã®MFAã¯ãæå
端ã®æ©èœã§ãã£ãŠã¯ãªããŸããã
ããã«ã€ããŠäœãé²å±ã¯ãããŸããïŒ
ã¡ããã©ããã«ééããŸããã CLIã§ãµããŒãããäºå®ããªãå Žåã¯ãWebã³ã³ãœãŒã«ããYubikeyã®ãµããŒããåé€ããŠãã ããã ãã®ãããªãã®ãã°ãŒã°ã«ã§æ€çŽ¢ããAWSãã¢ããã¿ã€ãºãããã®ããµããŒãããŠããªãããšãç¥ãã®ã¯éåžžã«æéã®ç¡é§ã§ã
ãã®åé¡ã440æ¥ééããŠããŠããŸã 解決ãããŠããªãããšã¯ããªãã°ãããŠããŸãã
CLIãµããŒãã¯åè¿°ã®ãšããéåžžã«é«ãè©äŸ¡ãããŸã
ããã«ã¡ã¯ã httpsïŒ//docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.htmlã䜿çšããŠãã¹ãŠã®äººéãŠãŒã¶ãŒã«MFAãé©çšããããšæã
aïŒã¢ã€ãã¢ãå®å
šã«è«ŠããããŸãã¯
bïŒãã¹ãŠã®äººã«U2Fã®äœ¿çšããTOTPãžã®ããŠã³ã°ã¬ãŒãã匷å¶ããŸãã
IAMãè€æ°ã®MFAããã€ã¹ããµããŒãããŠããªããšããäºå®ãæªãåè«ã§ã...
ã»ãŒ2020幎ã§ãã䟿å©ã§å®å šãªïŒU2FãèªãïŒMFAãœãªã¥ãŒã·ã§ã³ã¯å¿ é ã§ãããç§ã®æèŠã§ã¯èŽ æ²¢ã§ã¯ãããŸããã ç¹ã«æªæã®ããæ»æè ãæ·±å»ãªçµæžçæ害ãäžããå¯èœæ§ã®ããå°åã§ã¯ã
AWSããé¡ãããŸãããé¡ãããŸããã©ãããããªãã®è¡åããŸãšããŠããšã³ã·ã¹ãã å šäœã§MFAãµããŒãã®åŒ·åã«åãçµãã§ãã ããïŒCLIãã¢ãã€ã«ã¢ããªãAWS SSO-U2FããµããŒãããŠããŸããïŒïŒ
IAMãè€æ°ã®MFAããã€ã¹ããµããŒãããŠããªããšããäºå®ãæªãåè«ã§ã...
ããã¯æ¬åœã«æ¥ããããããšã§ãã 1ã€ã®ããã€ã¹ã ããç»é²ããã®ã¯æ¬åœã«æªãç¿æ £ãªã®ã§ãAmazonã«æ¥ãŠããããã§ããã ãæ©ãä¿®æ£ããŠãã ããïŒ
ãã®åé¡ã440æ¥ééããŠããŠããŸã 解決ãããŠããªãããšã¯ããªãã°ãããŠããŸãã
ããããæªãã§ãã 2013幎ã«Amazonã®èª°ããæžããïŒ
æ®å¿µãªãããçŸæç¹ã§ã¯ãã¢ã«ãŠã³ãããšã«1ã€ã®MFAããæãŠãŸããã
ããããç§ã¯ãããéçºããŒã ãšäžç·ã«æèµ·ããå°æ¥ã®éçºã®æ©èœãšèŠãªããŸããã
https://forums.aws.amazon.com/thread.jspa?threadID=137055
ããŒã ãå¿ãããã©ããã¯ç解ã§ããŸããã誰ããã®åé¡ã«è¿ä¿¡ããããšããããªããšããäºå®ãç§ã«é¢ä¿ããŠããŸãã ããã¯ã人å¡äžè¶³ãäœè³éã®ãªãŒãã³ãœãŒã¹ãããžã§ã¯ãã§ã¯ãªããAWSèªäœã§ãã
491æ¥ã500æ¥ã«ã·ã£ã³ãã³ãéãããïŒ ïŒã·ã£ã³ãã³ïŒïŒ confetti_ballïŒ
ã¢ããŸã³ã¯$ã眮ãããŠããGOVãããžã§ã¯ãã«æ¬åœã«çŠç¹ãåãããŠãããšæããŸãã ãã®ã¹ã¬ããã¯ãç§ãéåžžAWSã®äœ¿çšã誰ã«ãå§ããªãçç±ã®äžäŸã§ãã
確ãã«ã圌ããæå
端ã§ãã£ãæããããŸããããããä»æ¥..ããã¯ãã åºæ¬çãªæ©èœãæ¬ ããŠããŸãã 話é¡ããå€ããŠããããšã¯ããã£ãŠããŸãããå¥ã®äŸãšããŠãRoute 53ã¯ãŸã DNSSECããµããŒãããŠããªãã®ã§ãããã«é²ã¿ãŸãã ãããããAWSã®å®è£
ã«ã¯ããã«ããããªããããMFAã¯SFAãšåŒã°ããã¹ãã§ãã
æŽèšãèšã£ãŠç³ãèš³ãããŸããããå®éã«ãã®æ©èœãå¿
èŠãšããŠããã»ãã¥ãªãã£æ
åœè
ãé€ããŠããããã誰ããã®ã¹ã¬ãããèŠãŠããŸããã
500ã«éãããŸã§ã»ãã®æ°æ¥:)ïŒ
æ¬åœã«ãããè¿œå ããŠã»ããã§ãã æºåž¯é»è©±ã¯éåžžã«æ°ãæ£ãã®ã§ãAWSãµãŒãã¹ãšããåãããŠãããšãã«1æéã«äœåºŠãæºåž¯é»è©±ãåŒãåºãå¿ èŠã¯ãããŸããã
ããã¯æ°æ¥åã«æŽæ°ãããŸãã-httpsïŒ//aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
ããã¯èª°ããå©ããŸããïŒ
ããã¯èª°ããå©ããŸããïŒ
æ²ããããšã«ããããã ããã¯ãAWSãããŒã¯ã³ã³ãŒãã䜿çšããããã«ããã€ãã®è€éãªã¹ã¯ãªãããå¿
èŠãšãããã1ã€ã®åé¡ã§ãã ç§ã¯ãããåé¿ããããã«ãµãŒãããŒãã£ã®aws-mfa
pythonã¹ã¯ãªããPyPiã¢ãžã¥ãŒã«ã䜿çšããŠããŸãã
ãããã@ chris-batemanã®èãã«æè¬ããŸãïŒ
ããã¯æ°æ¥åã«æŽæ°ãããŸãã-httpsïŒ//aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
ãã®èšäºã®äžéšã«ãæ¹åã§ããããšã¯ãããŸããïŒãç¥ãããã ããããã¿ã³ããããå¿ ãæŒããŸãã
ç§ã¯èªåã®åœ¹å²ãæããããç§ãã¡ã«ç¥ãããŠãã ãããã«ã³ã¡ã³ããæ®ããŸããã ãã®æ©èœãå®è£ ãããã°ãç§ãéåžžã«è奮ããŸãã
@steinybotãæçš¿ããŠ
ãŸã å®è£
ãããŠããªããšããæ²ããã³ã¡ã³ããè¿œå ãã
2ã¶æ足ããã§2åšå¹Žãè¿ããŸãã ä»è¿ã¥ããŠããã«éããªãã§ãããïŒ å³ïŒ
è¯ããã¥ãŒã¹ïŒaws-vaultã䜿çšããªãå Žåã¯ã䜿çšããå¿
èŠããããŸãã 圌ãã¯Yubikeyã®ãµããŒããå°å
¥ããã°ããã§ãã TOTPããµããŒãããyubikeyããæã¡ã®å Žåã¯ãMFAã³ãŒããå
éšã«è¿œå ã§ããŸãã ã¢ããŸã³ã«ãããæåŸ
ããã®ãçæ³ã§ããããžã§ããéæã¡ã«ãªã£ãŠããéã¯æ°ã«ããªããšããããšã«ã¯èª°ããåæã§ããŸãã
圹å²ãªã©ã匷åã«ãµããŒãããŠããŸããããããµãŒãããŒãã£ã®ããŒã«ã§ããã®ã¯æ²ããããšã§ãããããããªãŒãã³ãœãŒã¹ã®å¥œããªãšããã§ãããªãã·ã§ã³ããããŸãã
ãªã³ã¯ïŒ https ïŒ
aws-vaultã¯åªããŠããŸãããU2Fã§ã¯ãªãTOTPããµããŒãããŠããŸãã
ãããäœå¹ŽãåŸ ã£ãåŸãç§ã¯ä»https://github.com/kreuzwerker/awsuã䜿çšããŠã
@nbraud圌ãã䜿çšããŠããPythonã€ã³ã¿ãŒãã§ãŒã¹ã¯Linuxãã€ãŒã«ãæäŸããŠããªãããã«èŠããã®ã§ããããã€ã³ã¹ããŒã«ããã«ã¯ããŠãŒã¶ãŒãã³ã³ãã€ã©ãŒãã€ã³ã¹ããŒã«ããŠããå¿ èŠããããŸãã ããã¯çŸåšãCLIãã€ã³ã¹ããŒã«ããããã®èŠä»¶ã§ã¯ãªãããããã®ã©ã€ãã©ãªãè¿œå ããããšã¯ãå€ãã®ãŠãŒã¶ãŒã«ãšã£ãŠé倧ãªå€æŽã«ãªããŸãã
@jeffparsonsã¯ãäŸåé¢ä¿ã®å€ãä»ã®å€§ããªã©ã€ãã©ãªã®1ã€ã䜿çšããå Žåã®ããã€ãã®åççãªæœåšçãªåé¿çãææããŸããããèæ
®ãã¹ãå°ããªPythonã©ã€ãã©ãªpyu2fãããããšãææããŸãã ãŸãããã€ãã£ãUSB HIDã©ã€ãã©ãªã«äŸåããŠU2FããŒãšéä¿¡ããŸãããPythonã®äŸåé¢ä¿ã¯six
1ã€ã ãã§ãã MacOSãLinuxãããã³Windowsãšäºææ§ã®ããOS HIDåŒã³åºããžã®ç¬èªã®ctypes
ããŒã¹ã®ãã€ã³ãã£ã³ã°ãããã¯ãããååãªããŠãŒã¹ã±ãŒã¹ãã«ããŒããå¯èœæ§ããããŸãã
誰ããããã«åãçµãã§ããŸããïŒ aws-cli
ããŒã ã¯ããã®æ©èœã®ãããã¿ã€ãã®ããããåãå
¥ããŸããïŒ
ç·šéïŒ IAMãŠãŒã¶ãŒã¬ã€ããã詳现ãèªãã åŸãU2Fã¯APIã¬ãã«ã§ãµããŒããããŠããªãããã§ãããããã£ãŠã aws-cli
ãã€ã³ã¿ã©ã¯ãã£ããªU2FããŒã¯ã³èªèšŒããµããŒãããŠããŠãã GetSessionToken
ãšAssumeRole
ããã«ã¯èŠããŸããã
APIæäœã®MFAä¿è·ã®æ¬¡ã®åŽé¢ãç解ããããšãéèŠã§ãã
- MFAä¿è·ã¯ãAssumeRoleãŸãã¯GetSessionTokenã§ååŸããå¿ èŠãããäžæçãªã»ãã¥ãªãã£ã¯ã¬ãã³ã·ã£ã«ã§ã®ã¿äœ¿çšã§ããŸãã
- U2Fã»ãã¥ãªãã£ããŒã§MFAã§ä¿è·ãããAPIã¢ã¯ã»ã¹ã䜿çšããããšã¯ã§ããŸããã
ãŸãã @ kiwimatoããã®ç€ŸäŒç解説ã«ã€ããŠïŒ
ã¢ããŸã³ã«ãããæåŸ ããã®ãçæ³ã§ããããžã§ããéæã¡ã«ãªã£ãŠããéã¯æ°ã«ããªããšããããšã«ã¯èª°ããåæã§ããŸãã
ããã¯ãœãããŠã§ã¢éçºã¹ã¬ããã§ãããè³æ¬äž»çŸ©ã®èšè«ãã©ãŒã©ã ã§ã¯ãªãããšãç解ããŠãã ããã AWSããŒã ã¯ãç§ã®çµéšã§ã¯botocore
ä¿®æ£ã«éåžžã«ææãªæ¬ç©ã®äººéã§æ§æãããŠããŸãã äœããããªããæ©ãŸããŠããå Žåãããã®å€ãã®ãªãŒãã³ãœãŒã¹ã®æ§è³ªã¯ãããªããä¿®æ£ã«è²¢ç®ããã®ãå©ããããå°ãªããšãããã€ãã®ãªãã·ã§ã³ããã¬ã€ã³ã¹ããŒãã³ã°ããã®ãå©ããããšãã§ããããšãæå³ããããšãç解ããŠãã ããã
ãã ããåºç€ãšãªãAWS APIèªäœã¯MFAã®TOTP以å€ã®ãã®ããµããŒãããŠããªãããã§ããããã®åé¡ã¯ãåã«ã¯ã©ã€ã¢ã³ãæ©èœããµããŒãããŠããªãaws-cli
ããã倧ããªåé¡ã§ããå¯èœæ§ããããŸãã APIãU2FããµããŒãããããAWSããã®ãã±ãããå¢ããããšãã§ããã°ãã¯ã©ã€ã¢ã³ãã®ãµããŒããéå§ã§ããŸãã
å°ãªããšããã®ãããªãœãªã¥ãŒã·ã§ã³ã¯ããã·ã³ãšé»è©±ã®éã®ã³ã³ããã¹ãåãæ¿ãã«åœ¹ç«ã¡ãŸã
https://authy.com/
ããã«ETAã¯ãããŸããïŒ AWS cliã®äœ¿çšã«åªããMFAãã©ã¯ãã£ã¹ã䜿çšããŠãã人ã¯ãäžçäžã®èª°ãããªãããã§ãã
AWS cliã®äœ¿çšã«åªããMFAãã©ã¯ãã£ã¹ã䜿çšããŠãã人ã¯ãäžçäžã®èª°ãããªãããã§ãã
@ james-callahanããã¯çå®ã§ã¯ãããŸããã ããŒã«ãžã®ã¢ã¯ã»ã¹ã¯ãMFAã§èªèšŒãããããŒã«ã«ã®ã¿å¶éãããŸãã äŸãã°ïŒ
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- arn:aws:iam::${Account}:root
Action:
- sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
次ã«ã aws-mfaãšããããŒã«ã䜿çšããŠãSTSããã®äžæçãªã¯ã¬ãã³ã·ã£ã«ã®ååŸãšAWSã¯ã¬ãã³ã·ã£ã«ãã¡ã€ã«ã®æŽæ°ã管çããŸãã åãç®æšã®ããã«STSãšã®å¯Ÿè©±ã管çããä»ã®æ¹æ³ããããŸãã
ãã®ãã±ããã¯ãç¹ã«U2Fã®ãµããŒããè¿œå ããããšã«çŠç¹ãåœãŠãŠããŸãã
@ james-callahanããã¯çå®ã§ã¯ãããŸããã ããŒã«ãžã®ã¢ã¯ã»ã¹ã¯ãMFAã§èªèšŒãããããŒã«ã«ã®ã¿å¶éãããŸãã
ããã¯TOTPã§ã®ã¿æ©èœããŸãã ããã¯ãTOTPã¯ã¬ãã³ã·ã£ã«ã®ãã£ãã·ã³ã°ã容æã§ãããªã©ã®çç±ãããé«å質ã®2çªç®ã®èŠçŽ ãšèŠãªãã¹ãã§ã¯ãããŸããã
ããã¯ãAWSãU2FãšTOTPããã€ã¹ã®äž¡æ¹ãåäžã®IAMãŠãŒã¶ãŒã«ç»é²ããããšãèš±å¯ããŠããªããããUIã¢ã¯ã»ã¹ã«U2Fã䜿çšããå ŽåãCLIããMFAã䜿çšã§ããªããšããäºå®ã«ãã£ãŠããã«æªåããŸãã
ãããå¿ èŠãšãããŠãŒã¶ãŒã®ããã«ã2ã€ã®ã¢ã«ãŠã³ããäœæããŸãã
CLIã¢ã¯ã»ã¹å°çšã¢ã«ãŠã³ãããTOTPããã£ãã·ã³ã°ããã®ã¯ããªãé£ããã§ãã
@craighurley
ããã¯ãåé¿çIMOã«ã¯å°ãããéãã«èŠããŸãã ã³ã³ãœãŒã«ã«U2Fãé
眮ããã«ã¯ãAWSçµç¹ã®ã»ãã¥ãªãã£ç®¡ççšã«2ã€ã®ã¢ã«ãŠã³ããç¶æããå¿
èŠããããŸãã
U2Fã䜿ãããäŒæ¥ã«ãšã£ãŠã¯åççãªè§£æ±ºçã§ã¯ãªããšæããŸãã
æãåèã«ãªãã³ã¡ã³ã
誰ããããã«å ãåœãŠãããšãã§ããŸããïŒ ç¢ºãã«ããŸã ãµããŒããããŠããªãå Žåã¯ãããããã§ã...ïŒ
ç·šéïŒ
ããã¯ãããŸã圹ã«ç«ããªãããŒãžã§ã³ãå®è£ ããåŸã誰ã䜿çšããªãã£ãããã顧客ãæ©èœãæ°ã«ããªããšäŒæ¥ãæ³å®ãããããªåä»ãªã±ãŒã¹ã®1ã€ã«ãªããªãããã«ããŠãã ããã
Amazonã³ã³ãœãŒã«ãžã®ãã°ã€ã³ã«WebUIã䜿çšããããšã¯ãããŸããã åŠçããå¿ èŠã®ããã¢ã«ãŠã³ããããã€ãããããïŒãªã©ïŒããã¹ãŠCLIäž»å°ã§ãã ãŸããWeb UIã䜿çšããŠãã°ã€ã³ãããšããŠããå€ãGoogle / LastPassã䜿çšããå¿ èŠããããããçŸç¶ã§ã¯ãU2Fã§äœ¿çšããããã«æ¢åã®ãã¹ãŠã®ã¢ã«ãŠã³ãã®_éè€ã¢ã«ãŠã³ã_ãããããåãå¿ èŠããããŸãã /ãã¹ãŠã®
aws-cli
ãã®ã®èªèšŒã·ã¹ãã ãã€ãŸã... AWSã®U2FãµããŒãã«ã¯ãç§ã_æ¬åœã«_ç±çãããããªãã®ã«ãªãå¯èœæ§ããããŸãããCLIãµããŒãããªããã°ããŸã 觊ãã䟡å€ã¯ãããŸããã ããããã®äººãåãè¹ã«ä¹ã£ãŠãããšæããŸãã