mozilla-services / Userplex
Licence: mpl-2.0
Propagate users from Mozilla's Person API to third party systems.
Stars: ✭ 41
Programming Languages
go
31211 projects - #10 most used programming language
Projects that are alternatives of or similar to Userplex
Terraform Aws Iam
Terraform module which creates IAM resources on AWS
Stars: ✭ 314 (+665.85%)
Mutual labels: aws, iam
Iam Policy Json To Terraform
Small tool to convert an IAM Policy in JSON format into a Terraform aws_iam_policy_document
Stars: ✭ 282 (+587.8%)
Mutual labels: aws, iam
Iam Floyd
AWS IAM policy statement generator with fluent interface
Stars: ✭ 165 (+302.44%)
Mutual labels: aws, iam
Aws Vault
A vault for securely storing and accessing AWS credentials in development environments
Stars: ✭ 5,626 (+13621.95%)
Mutual labels: aws, iam
Iamy
A cli tool for importing and exporting AWS IAM configuration to YAML files
Stars: ✭ 200 (+387.8%)
Mutual labels: aws, iam
Startup Aws Iam Roles
A list of typical positions in a startup and their policies for IAM AWS.
Stars: ✭ 118 (+187.8%)
Mutual labels: aws, iam
Aws
A collection of bash shell scripts for automating various tasks with Amazon Web Services using the AWS CLI and jq.
Stars: ✭ 493 (+1102.44%)
Mutual labels: aws, iam
Pmapper
A tool for quickly evaluating IAM permissions in AWS.
Stars: ✭ 494 (+1104.88%)
Mutual labels: aws, iam
Kube Aws Iam Controller
Distribute different AWS IAM credentials to different pods in Kubernetes via secrets.
Stars: ✭ 137 (+234.15%)
Mutual labels: aws, iam
Aws Serverless Auth Reference App
Serverless reference app and backend API, showcasing authentication and authorization patterns using Amazon Cognito, Amazon API Gateway, AWS Lambda, and AWS IAM.
Stars: ✭ 724 (+1665.85%)
Mutual labels: aws, iam
Aws Iam Authenticator
A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster
Stars: ✭ 1,713 (+4078.05%)
Mutual labels: aws, iam
Aaia
AWS Identity and Access Management Visualizer and Anomaly Finder
Stars: ✭ 218 (+431.71%)
Mutual labels: aws, iam
Awsprocesscreds
Process credential providers for AWS SDKs and Tools
Stars: ✭ 123 (+200%)
Mutual labels: aws, iam
Awesome Aws
A curated list of awesome Amazon Web Services (AWS) libraries, open source repos, guides, blogs, and other resources. Featuring the Fiery Meter of AWSome.
Stars: ✭ 9,895 (+24034.15%)
Mutual labels: aws, iam
Trackiam
A project to collate IAM actions, AWS APIs and managed policies from various public sources.
Stars: ✭ 115 (+180.49%)
Mutual labels: aws, iam
Trailscraper
A command-line tool to get valuable information out of AWS CloudTrail
Stars: ✭ 352 (+758.54%)
Mutual labels: aws, iam
Ssh Over Ssm
SSH over AWS SSM. No bastions or public-facing instances. SSH user management through IAM. No requirement to store SSH keys locally or on server.
Stars: ✭ 541 (+1219.51%)
Mutual labels: aws, iam
Userplex 
Propagate users from Mozilla's Person API to third party systems.
Installation
If you have Go v1.13+ installed, you can install userplex by running:
$ go get go.mozilla.org/userplex
Otherwise, you can get a binary from the releases section.
Configuration
There is an example configuration file in the repo at config.yaml
# Configuration for using Mozilla's Person API
# https://github.com/mozilla-iam/cis/blob/master/docs/PersonAPI.md
person:
person_client_id: "client_id"
person_client_secret: "client_secret"
person_base_url: "https://person_url.com"
person_auth0_url: "https://auth0.com"
# Configuration for sending notifications. Will only be used
# if the module block has `notify_new_users` set to `true`.
notifications:
email:
# your smtp relay may require authentication (AWS SES does), so make
# sure to set the parameters below to an authorized sender
host: "email-smtp.us-east-1.amazonaws.com"
port: 587
from: "[email protected]"
cc: "[email protected]"
replyto: "Something <[email protected]>"
auth:
user: "AKIAI3TZL"
pass: "AoXAy......"
# AWS Module configuration section.
#
# You may have multiple AWS accounts configured and all will
# be operated on. The way to give different permissions based
# on the account is to use the `group_mapping` to give
# different ldap groups different AWS groups. As well, if you do
# not have a `default` in `group_mapping`, a user without a
# matching group will just get ignored.
aws:
- account_name: "myawsaccount"
notify_new_users: true
ignore_usernames:
- legacy_user
credentials:
# if blank, will use the default aws credential flow
access_key: AKIAnnnn
secret_key: XXXXXXX
# Used to translate ldap usernames into "local usernames"
# which will be used as the username in AWS (or which ever
# module they are present in)
username_map:
- ldap_username: bkelso
local_username: bob
- ldap_username: tanderson
local_username: neo
group_mapping:
- ldap_group: "sysadmins"
iam_groups:
- ldapmanaged
- admin
- ldap_group: "developers"
iam_groups:
- ldapmanaged
- dev_only
- default: true
iam_groups:
- ldapmanaged
# Authorized Keys Module configuration section.
#
# As with the AWS Module section, you can have multiple
# authorized keys paths configured. The core
# configuration here is the list of allowed `ldap_groups`
# and how the `path` is setup. You can use `{username}`
# or `{env:<ENV_VAR>}` within the path.
authorized_keys:
- name: all_authorizedkeys
# Used to translate ldap usernames into "local usernames"
# which will be used as the username in authorized keys
# (or which ever module they are present in)
username_map:
- ldap_username: bkelso
local_username: bob
- ldap_username: tanderson
local_username: neo
ldap_groups:
- sysadmins
- developers
- devssh
# {username} will be replaced with the primary username for the user being created
path: /data/puppet/modules/users/files/{username}/.ssh/authorized_keys
# {env:ROOT_DIR} will be replaced with the env var $ROOT_DIR
# path: /data/puppet/modules/users/files/{env:ROOT_DIR}/.ssh/authorized_keys
- name: root_authorizedkeys
ldap_groups:
- sysadmins
# Used to translate ldap usernames into "local usernames"
# which will be used as the username in authorized keys
# (or which ever module they are present in)
username_map:
- ldap_username: tanderson
local_username: neo
path: /data/puppet/modules/users/files/root/.ssh/authorized_keys
Usage
NAME:
userplex - Propagate users from Mozilla's Person API to third party systems.
USAGE:
userplex [global options] command [command options] [arguments...]
VERSION:
v1.0.0
AUTHORS:
AJ Bahnken <[email protected]>
Julien Vehent <[email protected]>
COMMANDS:
aws Operations within AWS
authorizedkeys Operations within authorizedkeys files
get-person Get Person from Person API. Useful for finding the correct identifier
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config value, -c value Path to userplex config file [$USERPLEX_CONFIG_PATH]
--help, -h show help
--version, -v print the version
AWS Usage
$ userplex -c config-encrypted.yaml aws help
NAME:
userplex aws - Operations within AWS
USAGE:
userplex aws [global options] command [command options] [arguments...]
VERSION:
v1.0.0
COMMANDS:
create Create user
reset Reset user credentials
delete Delete user
sync Run sync operation
verify Verify users against Person API. Outputs report, use `sync` to fix discrepancies.
GLOBAL OPTIONS:
--help, -h show help
$ userplex -c config-encrypted.yaml aws create [email protected]
INFO[0001] aws "example-aws-account": user "example-user" not found, needs to be created
Notify new users disabled, printing output.
Created new user: example-user
....
$ userplex -c config-encrypted.yaml aws delete [email protected]
INFO[0002] aws "example-aws-account": deleted user "example-user"
$ userplex -c config-encrypted.yaml aws verify
Users not in LDAP:
* test-user
$ userplex -c config-encrypted.yaml aws sync
Users not in LDAP:
* test-user
Would you like to remove these users from the example-aws-account AWS account?
* test-user
(y/n): y
Authorized Keys Usage
$ userplex -c config-encrypted.yaml authorizedkeys help
NAME:
userplex authorizedkeys - Operations within authorizedkeys files
USAGE:
userplex authorizedkeys [global options] command [command options] [arguments...]
VERSION:
v1.0.0
COMMANDS:
create Create user
reset Reset user credentials
delete Delete user
sync Run sync operation
verify Verify users against Person API. Outputs report, use `sync` to fix discrepancies.
GLOBAL OPTIONS:
--help, -h show help
$ userplex -c config-encrypted.yaml authorizedkeys create [email protected]
INFO[0000] Adding user example-user to /puppet/userplex-testing/ak/example-user/.ssh/authorized_keys
INFO[0000] creating "/puppet/userplex-testing/ak/example-user/.ssh/authorized_keys"
INFO[0000] 1 keys written into "/puppet/userplex-testing/ak/example-user/.ssh/authorized_keys"
INFO[0000] Adding user example-user to /puppet/userplex-testing/ak/root/.ssh/authorized_keys
INFO[0000] creating "/puppet/userplex-testing/ak/root/.ssh/authorized_keys"
INFO[0000] 1 keys written into "/puppet/userplex-testing/ak/root/.ssh/authorized_keys"
$ cat /puppet/userplex-testing/ak/example-user/.ssh/authorized_keys
ssh-rsa AAAAB3.... [email protected]
$ userplex -c config-encrypted.yaml authorizedkeys delete [email protected]
INFO[0000] removing "/puppet/userplex-testing/ak/example-user/.ssh/authorized_keys"
INFO[0000] removing "/puppet/userplex-testing/ak/root/.ssh/authorized_keys"
$ cat /puppet/userplex-testing/ak/example-user/.ssh/authorized_keys
cat: /puppet/userplex-testing/ak/example-user/.ssh/authorized_keys: No such file or directory
License
Mozilla Public License 2.0
Authors
- AJ Bahnken [email protected]
- Julien Vehent [email protected]
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].