This website is mostly dedicated to blogs as a part of my passion for Information Technology, my work with Green Mountain Cloud, my random creative projects and my affinity for all things awesome.

February 03, 2020

Using AWS STS on Windows to populate Terraform credentials

When using the AWS provider in Terraform, one of the methods of authentication is the shared credentials file. The notion of keeping a long-term AWS Access key and Secret key in here is unsettling, but it’s a great place to keep a short-term token issued by the AWS Security Token Service (STS). There are posts about automating the population of tokens with Linux and with JQ but when supporting clients in a vanilla Windows environment, a little old-fashioned Windows scripting comes to the rescue.

The following bat file uses AWS CLI to issue an assume-role command to obtain a short-term token for authentication and parses the JSON response for the elements we need. It uses those elements to populate a shared credential file that we specify in our file.

October 02, 2018

AWS SSO from Commercial to GovCloud

AWS Single Sign-On (SSO) is integrated with AWS Organizations to allow quick and easy access to cross-account IAM roles to manage all of your AWS accounts with ease. This simplifies cross-account management and relieves password fatigue for users, however this functionality hasn’t been extended from commercial accounts to GovCloud accounts. GovCloud will allow you to assume a role with SAML, so with a little heavy lifting on the admin side, you can add GovCloud cross-account access from your commercial AWS SSO account.

My last post discussed how to add MFA to SSO and assumed that we were using an AWS AD Connector to connect to our AWS Managed Microsoft AD directory. We’ll keep that same assumption for this scenario, although your AD Connector could be reaching out to virtually any identity store. One caveat: You’ll need to create a custom application for each GovCloud account/role you’re trying to access, if you’re using AWS Managed Microsoft AD. You could get a little creative if you’re connecting to a true Active Directory store, but for now, let’s not get too creative.

Let's get building!

October 01, 2018

Connect AWS SSO to Duo MFA

Amazon's Single Sign-On (SSO) service allows you to connect your directory / user store to several applications and AWS accounts. The benefits are pretty obvious as you start to pile on lots of accounts and apps, but the AWS documentation on configuration is a little vague, so I thought I'd throw this out there for whoever it might help.

My MFA solution is Duo. I often use Google Authenticator, but one of the requirements for MFA in my situation is to run a RADIUS server. AWS SSO can be configured in many ways, but for the purposes of this article, I’m using an AWS AD Connector to connect to AWS Managed Microsoft AD. I’ll assume that:

  1. You know your AD.
  2. You are mildly familiar with Duo.
  3. You have established network connectivity from your AWS SSO account to your AD user store (whether through VPC peering or Direct Connect, etc.).
  4. You have created a secret key to be used between RADIUS and SSO.

Let's get right to it!

July 15, 2016

Adding aws-cfn-bootstrap (CloudFormation helper scripts) to custom Linux AMIs

As more and more of my CloudFormation (CF) stacks use a base image and CloudFormation::Init magic, it’s become imperative to have an AMI that has the helper scripts (cfn-signal, cfn-init, etc.) built-in. This isn’t a problem if you use the Amazon Linux AMI, but if you’re playing with things like immutable infrastructure or baking your own custom AMIs for CIS hardening or some other regulatory requirement, it can become a big issue quickly. There’s a little documentation out there on installing the CF helper scripts ( but the installation process is not quite so straightforward as one would hope.

The solution to this issue varies depending on your OS. I’ve had no issue with Windows AMIs because the Ec2Config service takes care of everything, but in CentOS and RHEL, there are a few extra steps. I’ll break them down by OS. Note that you may need to search for updated version of things like epel-release to make sure it matches your OS or you’re using the most current version.

CentOS 6

This was relatively painless, thanks to the contents of the cloudformation-examples bucket being publicly visible. The latest version of the helper-scripts requires some Python elements/versions that are a pain to set up, but you can use an older version of the helper scripts without any issues. As of CentOS 6.8, you can use aws-cfn-bootstrap-1.4-5.amzn1.noarch.rpm without having to juggle any prerequisites.