iam-authorized-keys-command

Authenticate SSH connections with public keys stored in Amazon IAM.

Building

The AuthorizedKeysCommand is executed by sshd and there is no way to control the input arguments. You'll need to build this project yourself to configure it the way you want.

There are two symbols in the source that can be specified with build flags: iamGroup and sshUserName. The iamGroup variable let's you limit IAM user lookups to members of a particular group. The sshUserName let's you limit key lookups to a specific system user.

To build a binary that will only authenticate session for the ubuntu user you can run the following build command:

go build -ldflags "-X main.sshUserName=ubuntu"

To build a binary that will only load keys for users in a specific IAM group:

go build -ldflags "-X main.iamGroup=Engineers"

To build a binary for 64-bit linux:

GOOS=linux GOARCH=amd64 go build

IAM Role Permissions

This script needs the following policy to execute properly, so make sure you apply it to your EC2 Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetGroup",
                "iam:ListUsers",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys"
            ],
            "Resource": "*"
        }
    ]
}

Configuring sshd

To configure sshd to use your compiled authorized keys command, add the following to /etc/ssh/sshd_config:

AuthorizedKeysCommand /path/to/compiled/binary
AuthorizedKeysCommandUser nobody

Then restart sshd:

service ssh restart

Why Go?

Because go is awesome! No seriously though, we're looking up a large number of users in IAM and doing so synchronously is really slow. Doing these lookups concurrently within a goroutine significantly decreases the amount of time it takes for this script to return.