/

🎉 Whats new on 15 Oct? Keyless OIDC connections with AWS

🎉 Whats new on 15 Oct? Keyless OIDC connections with AWS

Anand Muthukrishnan

Anand Muthukrishnan

Oct 16, 2024

We just shipped a new secure method to connect AWS accounts with LocalOps without using IAM keys. This is super useful, especially for Private SaaS deployments. Read on!

We started out early this year, with getting IAM keys to connect to an AWS account, to simplify and speed up the development process in our initial days. Still, we encrypt those keys before storing them, to handle them safely.

But then we promised to ourselves internally, to get back to this area to tighten things up. Because we knew IAM keys are long living, bad and are not the long term solution.

From today, we have switched to using industry standard OAuth 2.0 protocol/Open ID Connect and Role-based access to connect to AWS accounts that doesn't involve AWS IAM keys at all during the entire access chain.

We will publish another post this week (here on blog.localops.co, please subscribe 😄 to get email updates) on how we arrived at OpenID Connect as our solution. It may help you in your organization in evaluating all available authentication methods to access cloud accounts.

From today, to connect an AWS account in LocalOps, AWS account owners must:

  1. Establish a prior trust with "LocalOps Web Identity server" inside their AWS account. They can do this by creating a new OIDC provider (representing LocalOps Identity server) inside their AWS account.

  2. Setup a new IAM role to represent identities coming via LocalOps Identity server.

  3. Setup a new IAM policy to give permissions to LocalOps identities to then authenticate and make authorized API calls.

LocalOps code/servers will then be able to

  • Authenticate with LocalOps Identity server as an Identity

  • Use that same identity to connect to the target AWS account using AssumeRoleWithWebIdentity AWS SDK method and the IAM role created by account owner.

  • Generate short term IAM keys for accessing the target AWS account.

These IAM keys will be expired automatically by AWS after a short interval.

1-click setup:

We have automated the entire process using a pre-defined CloudFormation script. So it is a "1-click setup" for all users when connecting their AWS accounts inside LocalOps.

Go to cloud connections, create a new connection, give name and other attributes and click on "Connect AWS account" in second screen. This will open your AWS console and take you to CloudFormation section to continue creating the CloudFormation stack which will in turn setup OIDC provider, IAM role and IAM policy and completes the connection process.

Private SaaS deployments:

This is very useful specifically in Private SaaS deployment scenarios where end customers are hesitant to give out long term IAM keys from their AWS account.

It is the same 1-click keyless setup even for end customer cloud accounts during Private SaaS deployment scenarios. Developers can pass on instructions given by LocalOps to end customer IT team (See instructions in same page above). They can follow a single link that is kept within the instructions text to connect their AWS account.

Cloud access setup is now easy and more secure. This speeds up trust building with end customers.

Works on all cloud providers:

Today, role based access is the recommended approach to connect to AWS accounts. Typical role based access in AWS need another source AWS account and an IAM user within it to make it all work.

We have gone one step further and implemented a web-native identity system in LocalOps using OAuth and OpenID connect to not just come from our source AWS account to connect with the target AWS accounts, but can come from a generic OAuth based identity server and connect with "all" cloud providers including AWS, Azure, Google Cloud and others. All major cloud providers support OIDC/OAuth protocol.

Less work for us and more safety for our users in return. This is win-win for everyone!

Docs:

You can find the documentation here on connecting AWS accounts inside LocalOps: https://docs.localops.co/connecting-cloud/aws

Get Started for FREE with LocalOps:

You can sign up now for free at LocalOps, connect your cloud and setup a your production environment in minutes. Or make private deployments to your customer cloud easily from one dashboard.

There is a free plan to keep managing your production environments via LocalOps, free forever. Sign up now at https://localops.co.

Cheers ✌️