A centralized server, which is responsible for authenticating users and requesting credentials from AWS should be run for each team or organization.
$ go install github.com/superorbital/cludo/cmd/cludod/cludodConfigure cludod by providing a cludod.yaml file.
cludod supports the following configuration options:
| Key | Description |
|---|---|
server.users[] |
List of users identified by their SSH public key. |
server.users[].public_key |
The public key this user will use for authentication. |
server.users[].name |
The name that should be associated with this user. |
server.users[].github_id |
[Optional] The Github ID for the user. |
server.users[].targets[] |
The targets this user is allowed to access. |
server.targets |
The map of targets the server supports. |
server.targets.TARGET |
Each target is identified by a name. |
server.targets.TARGET.aws |
The AWS backend for this target. |
server.targets.TARGET.aws.arn |
The ARN to use for the AWS sts-assume-role call for this target. |
server.targets.TARGET.aws.access_key_id |
The AWS access key ID used to call sts-assume-role. |
server.targets.TARGET.aws.secret_access_key |
The AWS secret access key used to call sts-assume-role. |
server.targets.TARGET.aws.session_duration |
The amount of time the temporary AWS credentials generated by sts-assume-role will be valid for. |
server.github.api_endpoint |
[Optional] Github V3 API endpoint to use. Defaults to https://api.github.com/ |
Here's an example cludod.yaml file:
server:
github:
api_endpoint: https://api.github.com/
targets:
prod:
aws:
arn: "aws:arn:iam:..."
session_duration: "20m"
access_key_id: "456DEF..."
secret_access_key: "UVW789..."
dev:
aws:
arn: "aws:arn:iam:..."
session_duration: "8h"
access_key_id: "123ABC..."
secret_access_key: "ZXY098..."
qa:
prod_frontend:
prod_backend:
prod_db:
users:
- public_key: "ssh-rsa aisudpoifueuyrlkjhflkyhaosiduyflakjsdhflkjashdf7898798765489..."
name: "Amka Etok"
github_id: "aetok"
targets: ["prod", "dev"]$ cludod --scheme=http --port=8080 --host=0.0.0.0 -c /path/to/cludod.yaml We also provide a docker image (superorbital/cludod) with cludod pre-installed. Just provide a /etc/cludod/cludod.yaml config file.
| Flag | Default | Env Var | Description |
|---|---|---|---|
--scheme |
the listeners to enable, this can be repeated and defaults to the schemes in the swagger spec | ||
--scheme |
the listeners to enable, this can be repeated and defaults to the schemes in the swagger spec | ||
--host |
localhost |
HOST |
the IP to listen on |
--port |
PORT |
the port to listen on for insecure connections, defaults to a random value | |
--cleanup-timeout |
10s |
grace period for which to wait before killing idle connections | |
--graceful-timeout |
15s |
grace period for which to wait before shutting down the server | |
--max-header-size |
1MiB |
maximum bytes the server will read parsing the request header's keys and values, including the request line. It does not limit the size of the request body. | |
--socket-path |
the unix socket to listen on default:"/var/run/cludod.sock" | ||
--listen-limit |
limit the number of outstanding requests | ||
--keep-alive |
3m |
sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download) | |
--read-timeout |
30s |
maximum duration before timing out read of the request | |
--write-timeout |
60s |
maximum duration before timing out write of the response | |
--tls-host |
TLS_HOST |
the IP to listen on for tls, when not specified it's the same as --host | |
--tls-port |
TLS_PORT |
the port to listen on for secure connections, defaults to a random value | |
--tls-certificate |
TLS_CERTIFICATE |
the certificate to use for secure connections | |
--tls-key |
TLS_PRIVATE_KEY |
the private key to use for secure connections | |
--tls-ca |
TLS_CA_CERTIFICATE |
the certificate authority file to be used with mutual tls auth | |
--tls-listen-limit |
limit the number of outstanding requests | ||
--tls-keep-alive |
sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download) | ||
--tls-read-timeout |
maximum duration before timing out read of the request | ||
--tls-write-timeout |
maximum duration before timing out write of the response |
-c will default to /etc/cludod/cludod.yaml, ~/.cludod/cludod.yaml, ./.cludod/cludod.yaml, or ./cludod.yaml