Automate the AWS Identity Lifecycle with unSkript (Part 1)

This week we are celebrating AWS re:Invent by highlighting common AWS tasks that are ripe for automation. In our first three posts for re:Invent week, we’ll build and extend some basic identity management xRunBooks to automate a simple identity lifecycle management process.

unSkript offers a framework for your CloudOps automations built on top of Jupyter Notebooks. unSkript’s Open Source repository of pre-built xRunBooks makes automating many of your internal tooling, alerts and alarms easy.

Creating IAM users

IAM stands for Identity and Access Management. Ensuring that only authorized entities have access to your AWS backing is crucial for application security, but is also a very common request. For both of these reasons, IAM management is a excellent opportunity for automation.

unSkript offers hundreds of pre-built xRunBooks and actions for popular services. Today, we’ll focus on the Add New IAM User xRunBook. This (along with some AWS credentials) are all you need to create new users in your AWS environment.

Setup

To begin, you’ll need to create a free account in the unSkript Sandbox. There is a 3–4 minute walkthrough of the features that you’ll need to go through (if you haven’t already) that will highlight some of the features of unSkript.

Once you’ve completed the walkthrough, we’ll import the existing xRunBook into your account.

  1. Click xRunbooks from the top menu, and click the unSkript xRunbooks tab.
  2. Search for “Create a new IAM user” and the list will filter to the runbook we are interested in.
screenshot of unSkript xRunBook Search
filtering for the xRunBook to import

3. We’ll want to import this into our list of xRunBooks, so click the 3 dot menu to the left, and import this xRunbook into your account.

Screenshot of unSkript importing a Runbook
Importing the xRunBook

Give your imported xRunBook an unique name, and connect to the proxy you created as a part of the onboarding process.

We have created our IAM creation xRunBook, and it appears in “my xRunBooks”. We’ll need to edit a few details in order to connect it to AWS, and get it up and running. Click the three dot menu to open the xRunBook. This will open to a summary page of your xRunBook, showing the Parameters that are required to run. In this case, we see:

  • tag_key
  • tag_value
  • user_name

The tag key:value pair will add this tag to the new user (with default values “service”:devmongodb”) and name the user “Test.”

Let’s open up the editor (the button in the top right) to personalize our xRunBook by editing the default tags, and adding our AWS Credentials.

Personalizing the xRunBook

The page will open into the unSkript Notebook. On the left side are the scripts (and text sections describing what is happening. On the right is a blank section labeled “Action.” At the top of the page is a drop-down menu “Parameters” where you can edit the three default values for the xRunBook input parameters:

Edit your parameters as you desire.

Actions

Actions are the steps that each xRunBook undertakes to complete the workflow. Let’s walk through the 4 actions in this xRunBook:

Create IAM User:

Scroll through the Actions until you reach Create IAM User (with the AWS logo to the left). We need to configure this Action for it to run correctly. Click “Configurations.”

  1. First we will create our AWS Credential. Click “Select Credentials” and then “ADd Credential”. You’ll give the credential a name, and then use an existing IAM profile’s Access Key and Secret Access Key to create the credential. (For more details on setting AWS Credentials, click here).
  2. Below the Credential section, there are other tabs that are filled out. There is no need to make any changes, but note that our 3 input parameters (user_name, tag_key and tag_value) are used as inputs into this Action.

This Action creates the IAM user, and applies the tags. Click “Run Action” and it will complete.

Create Login Profile

The next Action in this xRunBook will create a login profile for this new user with a password.

Scroll to the Create Login Profile action, and click “Configurations.” Add the AWS Credential you created for the last Action. In the list of inputs, you’ll see that user_name is passed, and the new password for the user is defaulted to “test@123” Since the password is a string, it is presented in quotes.

Let’s create the password by running this Action. CLick the “Run Action” button. If you lookin your AWS Console, the new AWS user will now show a password.

STS Get Caller Identity

This Action will return the user who is creating the new IAM identity. There are no inputs, but the AWS Credential must be added (as in the last two Actions). For fun, Click the Output tab, and name the output “caller.”

Post to Slack

The last Action will post the name of the new IAM user to Slack. (if you want to skip this step, skip the next paragraph.) This requires a little bit of setup at Slack (details here) to create an app with an OAuth token. Configure this Action, and create a credential with your new Slack OAuth token. In the Action Inputs, add the channel you with to send the message to. The Message is the next input. I edited my message to read:

f’New IAM user {user_name} added by {caller[“Arn”]}’

This will not only send the username to Slack, but also the output of the STS Get Caller ID.

Alternatively, you can skip this step by clicking the “Start Condition” in the Slack Configuration, and changing the configuration to only run when 1==0 (which is always false, and will force the script to skip this step).

Ready to Run

Now, we are ready to run the entire xRunBook — Click the “Run xRunbook” button at the top of the page, and we can see the entire Runbook execute!

Slack Screenshot showing a new IAM user was added to AWS

Summary

In this post, we have begun our quest to automate AWS identity management using unSkript. In the next two posts, we’ll continue this journey:

  • Post 2 adds Policies to the new user user (so they can actually have access to the services they need)
  • Post 3 will remove the user from the AWS environment, and discuss further ways to enhance the IAM lifecycle.

Interested in learning more? Check out our DocsGitHub, or reach out in our Slack Community!

Share your thoughts