openSeSSHIAMe allows SSH access to an instance behind the great AWS firewall (security group for the instance) for authorized IAM users from their current location.
pip install openSeSSHIAMe==0.1.0
openSeSSHIAMe (picture Adam Sandler singing "open sesame") allows SSH access to an instance behind the great AWS firewall (security group for the instance) for authorized users from their current location.
Given the credentials for an AWS IAM (Identity and Access Management) user, it:
Use at your own risk, and only with trusted users. Follow best practices to secure your EC2 instance and AWS account. Feedback, suggested improvements, and contributions will be most appreciated. See Notes for known issues with the current implementation.
Key=openSeSSHIAMe-ID
and a unique Value
among all openSeSSHIAMe usersDescribeSecurityGroups
(List)AuthorizeSecurityGroupIngress
(Write)RevokeSecurityGroupIngress
(Write)${aws:username}
in the ARN when specifying
resources):
ListUserTags
(List)DescribeSecurityGroups
cannot be
restricted to a particular resource (the security group used by
openSeSSHIAMe).To install from source, execute the following in the directory containing
setup.py
:
pip install [--user] [--upgrade] .
To install from PyPI
:
pip install [--user] [--upgrade] openSeSSHIAMe
The openSeSSHIAMe CLI can be executed for oneshot authorization of the user's current public IPv4 address:
openSeSSHIAMe --verbose --config /path/to/config.json
Here, config.json
should look like etc/openSeSSHIAMe-config.json
, found in
this repo and the installed package. It consists of the IAM credentials and
username for the current openSeSSHIAMe user, the ID of the security group to
use, and the region the EC2 instance is running in.
openSeSSHIAMe can be run at the time of starting an SSH session, just like
port-knockers. One way is using ProxyCommand
in your SSH client
config:
Host foo
HostName ...
...
ProxyCommand bash -c 'openSeSSHIAMe --verbose --config ...; sleep 1;
exec nc %h %p'
This technique should also work with autossh.
Alternatively (or additionally), a sample systemd service and timer for
periodic execution are included in etc/
.
Finally, feel free to import and use the openSeSSHIAMe
class after installing
this package:
from openSeSSHIAMe import openSeSSHIAMe
sesame = openSeSSHIAMe(config_filename='...', verbose=True)
# See main() in openSeSSHIAMe.py for further usage
DescribeSecurityGroups
and ListUserTags
are unavoidable.openSeSSHIAMe is distributed under the terms of the MIT license. Please see COPYING.