Implementing Secret-less Access to Azure and AWS with Azure Managed Identities and AWS IAM

2024-09-18

AWS, Azure, Entra ID, IAM, Idp, Managed Identity, Security

1. User case

Nowadays, it is common for companies to operate in multi-cloud environments, such as Azure and AWS. They often use Microsoft Entra ID (formerly Azure Active Directory) as their centralized identity provider (IdP), managing identities for both human users and applications. They would like to use the Entra ID identities to access resources in AWS.

Establishing human user identity access across Azure and AWS is straightforward. The IT department can use AWS IAM Identity Center to allow users from Microsoft Entra ID to sign-in to the AWS Management Console with Single Sign-On (SSO) via their browser. This integration simplifies authentication, offering a seamless and secure user experience across both Azure and AWS environments. For more information, you can read this document.

However, the browser-based SSO approach for human users does not apply to applications.

For applications, developers follow security best practices by using cloud-native IAM (Identity and Access Management) mechanisms to manage resource access. In AWS, this mechanism is AWS IAM, while in Azure, it is typically Azure Managed Identity. For example, by leveraging Azure Managed Identity, developers can build applications in Azure without the need to manage secrets or keys.

This approach is known as secretless access to cloud resources.

AWS IAM and Azure Managed Identity work well within their respective platforms, but there are cross-cloud scenarios where a workload in one cloud needs to access resources in another. For instance, an Azure Function might need to save data to both an Azure Storage account and an AWS S3 bucket for cross-cloud backup. The Azure Function uses Managed Identity to access the Azure Storage account. For accessing S3, the developer could create an IAM user and store the IAM user credentials. However, there is a better way to achieve secretless access to both Azure and AWS resources using the same Azure Managed Identity.

The problem of using Azure Managed Identity to access S3

2. Solution

In AWS, there are multiple ways to request temporary, limited-privilege credentials by using AWS Security Token Service (AWS STS), such as AssumeRoleWithSAML and AssumeRoleWithWebIdentity.

The post will explain how to use AssumeRoleWithWebIdentity and IAM Web Identity Role to extend the permissions of the same Azure Managed Identity to also access AWS resources.

We will build an Azure Function with a managed identity, either User-Assigned Managed Identity (UAMI) or System-Assigned Managed Identity (SAMI), to read objects from both an Azure Storage account and an AWS S3 bucket. This same managed identity will work in both Azure and AWS, eliminating the need to manage additional secrets such as AWS IAM user credentials.

The source code is published at github https://github.com/linkcd/Secretless-cross-cloud-access

AWS Blog - Build your multilingual personal calendar assistant with Amazon Bedrock and AWS Step Functions

2024-07-04

AWS, AWS Step Functions, Amazon Bedrock,, GenAI, Generative AI

Check out my latest blog post on AWS official AI/ML blog channel.

“Foreigners and expats living outside of their home country deal with a large number of emails in various languages daily. They often find themselves struggling with language barriers when it comes to setting up reminders for events like business gatherings and customer meetings. To solve this problem, this post shows you how to apply AWS services such as Amazon Bedrock, AWS Step Functions, and Amazon Simple Email Service (Amazon SES) to build a fully-automated multilingual calendar artificial intelligence (AI) assistant. It understands the incoming messages, translates them to the preferred language, and automatically sets up calendar reminders.”

Happy reading!

Blog address: https://aws.amazon.com/blogs/machine-learning/build-your-multilingual-personal-calendar-assistant-with-amazon-bedrock-and-aws-step-functions/
Source code: https://github.com/aws-samples/build-multilingual-calendar-assistant-with-amazon-bedrock-and-aws-step-functions

AWS Blog - Manage IoT device state anywhere using AWS IoT Device Shadow service and AWS IoT Greengrass

2023-05-23

AWS, AWS IoT Core, AWS IoT Greengrass, Device Shadow, IoT, Raspberry Pi

Discover my latest blog post on AWS official blog channel, where I delve into managing IoT devices from anywhere! Whether you’re interested in a humble Raspberry Pi application or eager to explore broader applications like home automation or industrial IoT solutions, this post has got you started.

Happy reading!

Blog address: https://aws.amazon.com/blogs/iot/manage-iot-device-state-anywhere/
Source code: https://github.com/aws-samples/manage-IoT-device-using-device-shadow-blog

AWS Step Functions with ECS Anywhere on NanoPi Sample

2022-02-02

AWS, ECS Anywhere, IoT, Nano Pi, Step Functions

This is a demo solution that is using AWS Step Functions and ECS Anywhere to complete a simple data processing task by using cloud orchestration (Step Functions) and local computing resources (a NanoPi).

Data flow

User upload a file to a s3 bucket
S3 triggers step functions via cloudtrail and event bridge
Event bridge triggers a step function state machine
State machine triggers a ECS Anywhere task to download the file from s3 to local (to do some processing), if file name matches condition

Architecture

NanoPi that runs ECS Anywhere

NanoPi Neo2 with LED hat in my home office, running AWS ECS Anywhere.

Using SSM to access EC2 instances

2021-12-17

AWS, AWS Systems Manager, EC2, IAM, SSH, SSM, VPC, VPC Endpoint

1. Benefits of using for connecting EC2 instances

AWS Systems Manager (SSM) is an AWS service that you can use to view and control your infrastructure on AWS. It can securely connect to a managed node. The SSM Agent is installed in EC2 OS. It is pre-installed on many amazon Machine Images (AMIs).

With SSM:

No need to open SSH port in security group for EC2
No need to create and manage SSH keys

And SSM works regardless if the EC2 instance is in public or private (NAT or Endpoint) subnet.

Requirements for SSM working:

AWS instances:
- SSM agent installed in instance (pre-installed in many AMIs already)
- Connectivity to the AWS public zone endpoint of SSM (IGW, NAT or VPCE)
- IAM role providing permissions
On-Prem instances:
- SSM agent installed in instance
- Connectivity to the AWS public zone endpoint of SSM (Access to public internet)
- Activation (Activation Code and Actuation ID)
- IAM role providing permissions

2. EC2 Instance in public subnet

2.1. Make sure the EC2 instance has a public IP. It could be the public IP assigned during creation, or an Elastic IP.
2.2. EC2 instance should have Internet access (for calling SSM endpoint). In public subnet it is done via Internet Gateways. See details from Session Manager prerequisites, in “Connectivity to endpoints” section.
2.3. You can use VPC Reachability Analyzer to troubleshoot the connectivity between your EC2 and Internet gateway.
2.4. Create an EC2 Instance profile has IAM policy AmazonSSMManagedInstanceCore. Read the details from Step 4: Create an IAM instance profile for Systems Manager
2.5 Attach the EC2 Instance profile to your instance.
2.6 Reboot the EC2 instances.

3. EC2 instance in private subnet, with NAT connectivity

In this case, EC2 instances have no public IP, but they can still talk to internet via NAT.

3.1. Make sure EC2 instances in private subnet can access internet, via a NAT Gateway or NAT instance.
3.2. The rest will be the same as EC2 instances in public subnet, starting from 2.2

4. EC2 instance in private subnet, without NAT connectivity but VPC endpoints

In this case, the EC2 instance (no public IP) won´t have access internet via NAT but VPC endpoints, some extra works are required

4.1 Create VPC endpoints for System Manager. Remember to allow HTTPS (port 443) outbound traffic in security group for your endpoint (ssm, ssmmessages and ec2messages)
4.2. Create an IAM Role as EC2 profile that contains at least the following 2 policies
- aws managed policy AmazonSSMManagedInstanceCore
- a custom policy for accessing an AWS owned S3 buckets.
4.3 Attach this instance profile to your EC2 instance
4.4 Make sure enable “DNS resolution” and “DNS hostnames” for you VPC
4.5 In addition, if your EC2 instance need to access other AWS services such as S3, remember to create needed endpoints for them as well. (For S3 you can choose either Gateway or Endpoint. At this moment Gateway is free.) Note that you need to add the endpoint into the private subnet route table. The following screenshot shows the route table entity of a S3 Gateway endpoint, which is using prefix lists.

5. Verification

Once the SSM is fully up-and-running, the EC2 instance (either in public/private subnet) will appear in Fleet Manager in SSM web console.

Building a Very Slow Movie Player

2021-12-04

Amazon Lookout for Vision, DIY, Movie, Raspberry Pi, SVMP, e-paper

Inspired by Bryan Boyer and Tom Whitwell, I am building a Very Slow Movie Player (VSMP).

With VSMP,

Kiki’s Delivery Service (running time 1h42m): takes 7 days to play (with 1 frame per 20 seconds, as in above demo)
Laputa: Castle in the Sky (running time 2h4m): takes 2 months to play (with 1 frame per 120 seconds, as default setting)

Okta and AWS Control Tower - a happy path demo

2021-11-17

AWS, AWS Control Tower, AWS SSO, Okta, SSO

This is a happy path demo of setting up Okta as the Idp for AWS Control Tower (via AWS SSO).
Goal: To utilize users and groups in Okta to manage AWS control tower.

1. Create a brand new Control Tower instance

In this demo, we create the AWS Control Tower instance in a brand new AWS account. During this process, control tower creates several services/components, such as AWS Organizations, AWS SSO, default organizations unit (OU) “Security” and 2 AWS accounts “Log Archive” and “Audit”.

In the AWS SSO, some default SSO user groups are created for managing Control Tower:

The default admin user for organization management account is “AWS Control Tower Admin”.
default master user1

Detailed user info
default master user2

And it belongs to 2 groups: AWSAccountFactory and AWSControlTowerAdmins
default master user3

How to build an IoT connected car - Part 2: Data Analytics in the Cloud

2020-09-22

Azure, Azure Data Explorer (ADX), Car, Data Analytics, Databricks, Grafana, IoT, Jupyter Notebook, PowerBI, Python, Time Series Insight (TSI), Visualization

In Part 1, we have talked about the hardware/software running on the edge (the car) for collecting data.

Now we have the data, and how to gain some insights by doing data analytics? I have been using the following products, and would like to share my quick thoughts

Azure Time Series Insight (TSI)
Azure Databricks
Azure Data Explorer (ADX)
PowerBI
Grafana

How to build an IoT connected car - Part 1: On the Edge

2020-09-15

Azure IoT Edge, Azure IoT Hub, Car, Data Analytics, GPS, IoT, OBD2, Raspberry Pi

Previously I wrote a blog about how to measure hamster via IoT wheel. This reminds me another personal project I did back to the winter of 2018/2019, for measuring car performance.

How to measure your Hamster's running with wireless IoT

2020-08-05

Data Analytics, Hamster, Home Assistant, IoT, Jupyter Notebook, Python, Zigbee

We recently welcomed our new family member Qiuqiu (球球) (a girl Syrian/Golden hamster) home. She seems to enjoy the new environment fairly well, but she is a quiet girl - does not show much activities during the day time.

Of course we understand hamsters are nocturnal animals, which means they are sleeping in day time and become more active at night. But I started wondering how she was doing during the nights, especially how much she ran on the hamster wheel.

Let’s do something about it.

Picture: Qiuqiu with her wheel