├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── configuration ├── README.md ├── __init__.py ├── config.yml └── initialise_config.py ├── deploy_cloudformation ├── bakery │ └── templates │ │ ├── bakery_account.tmpl │ │ ├── bakery_env.tmpl │ │ └── bakery_stack.tmpl ├── burger │ └── templates │ │ └── burger_account.tmpl ├── check_admin_access │ ├── README.md │ ├── check_admin_access.py │ └── check_admin_access.yml ├── deploy_bakery.yml ├── deploy_burger.yml └── deploy_check_admin_access.yml ├── docker ├── Dockerfile └── requirements.txt ├── python_lib ├── common.py ├── create_bakery_env_cf.py └── create_burger_account_cf.py ├── utils ├── README.md └── bootstrap_assume_script.py └── wiki_assets ├── bakery_assume.png ├── bakery_trust_burger.png ├── iam_assume_role.png └── iam_download_creds.png /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | assume.sh 3 | *.zip 4 | *.retry 5 | *.pyc 6 | .vscode 7 | 8 | /deploy_cloudformation/bakery/*.yml 9 | /deploy_cloudformation/burger/*.yml 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | export LOCATION_CORE=. 16 | export PYTHONPATH=$(LOCATION_CORE) 17 | 18 | AWS_DEFAULT_REGION=ap-southeast-2 19 | DOCKER_IMAGE=iam_bakery 20 | 21 | define HELP_TEXT 22 | Usage: make [TARGET]... 23 | Available targets: 24 | endef 25 | export HELP_TEXT 26 | help: ## help target 27 | @echo "$$HELP_TEXT" 28 | @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / \ 29 | {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) 30 | 31 | build-docker-image: 32 | @docker build -f docker/Dockerfile -t $(DOCKER_IMAGE) . 33 | 34 | create-bakery-cf: 35 | cp $(LOCATION_CORE)/deploy_cloudformation/bakery/templates/bakery_stack.tmpl $(LOCATION_CORE)/deploy_cloudformation/bakery/bakery_stack.yml 36 | cp $(LOCATION_CORE)/deploy_cloudformation/bakery/templates/bakery_account.tmpl $(LOCATION_CORE)/deploy_cloudformation/bakery/bakery_account.yml 37 | python $(LOCATION_CORE)/python_lib/create_bakery_env_cf.py 38 | 39 | deploy-bakery-cf: create-bakery-cf ## deploy bakery 40 | ansible-playbook $(LOCATION_CORE)/deploy_cloudformation/deploy_bakery.yml -vvv \ 41 | -e REGION=$(AWS_DEFAULT_REGION) \ 42 | -e AWS_ACCESS_KEY_ID \ 43 | -e AWS_SECRET_ACCESS_KEY \ 44 | -e AWS_SESSION_TOKEN \ 45 | -e prefix=$(prefix) \ 46 | -e bakery_cf_bucket=$(bakery_cf_bucket) 47 | 48 | # example: make deploy-bakery-cf-in-docker prefix=test- bakery_cf_bucket=test-bakery-cf 49 | deploy-bakery-cf-in-docker: build-docker-image ## deploy bakery in docker 50 | @docker run -i \ 51 | -v $(PWD):/data \ 52 | -e AWS_ACCESS_KEY_ID \ 53 | -e AWS_SECRET_ACCESS_KEY \ 54 | -e AWS_SESSION_TOKEN \ 55 | -e AWS_DEFAULT_REGION=$(AWS_DEFAULT_REGION) \ 56 | -e prefix=$(prefix) \ 57 | -e bakery_cf_bucket=$(bakery_cf_bucket) \ 58 | $(DOCKER_IMAGE) \ 59 | /bin/bash -c "make deploy-bakery-cf" 60 | 61 | deploy-check-admin-access-cf: ## deploy check admin access 62 | ansible-playbook $(LOCATION_CORE)/deploy_cloudformation/deploy_check_admin_access.yml -vvv \ 63 | -e REGION=$(AWS_DEFAULT_REGION) \ 64 | -e AWS_ACCESS_KEY_ID \ 65 | -e AWS_SECRET_ACCESS_KEY \ 66 | -e AWS_SESSION_TOKEN \ 67 | -e prefix=$(prefix) \ 68 | -e bakery_cf_bucket=$(bakery_cf_bucket) 69 | 70 | # example: make deploy-check-admin-access-cf-in-docker prefix=test- bakery_cf_bucket=test-bakery-cf 71 | deploy-check-admin-access-cf-in-docker: build-docker-image ## deploy check admin access in docker 72 | @docker run -i \ 73 | -v $(PWD):/data \ 74 | -e AWS_ACCESS_KEY_ID \ 75 | -e AWS_SECRET_ACCESS_KEY \ 76 | -e AWS_SESSION_TOKEN \ 77 | -e AWS_DEFAULT_REGION=$(AWS_DEFAULT_REGION) \ 78 | -e prefix=$(prefix) \ 79 | -e bakery_cf_bucket=$(bakery_cf_bucket) \ 80 | $(DOCKER_IMAGE) \ 81 | /bin/bash -c "make deploy-check-admin-access-cf" 82 | 83 | bootstrap-assume-script: ## creates assume.sh Usage: source assume.sh 84 | $$(which python) $(LOCATION_CORE)/utils/bootstrap_assume_script.py 85 | chmod +x assume.sh 86 | 87 | create-burger-cf: 88 | python $(LOCATION_CORE)/python_lib/create_burger_account_cf.py 89 | 90 | deploy-burger-cf: create-burger-cf ## deploy burger 91 | ansible-playbook $(LOCATION_CORE)/deploy_cloudformation/deploy_burger.yml -vvv \ 92 | -e REGION=$(AWS_DEFAULT_REGION) \ 93 | -e AWS_ACCESS_KEY_ID \ 94 | -e AWS_SECRET_ACCESS_KEY \ 95 | -e AWS_SESSION_TOKEN \ 96 | -e prefix=$(prefix) \ 97 | -e account_name=$(account_name) \ 98 | -e aws_env=$(aws_env) 99 | 100 | deploy-burger-cf-in-docker: build-docker-image ## deploy burger in docker 101 | @docker run -i \ 102 | -v $(PWD):/data \ 103 | -e AWS_ACCESS_KEY_ID \ 104 | -e AWS_SECRET_ACCESS_KEY \ 105 | -e AWS_SESSION_TOKEN \ 106 | -e AWS_DEFAULT_REGION=$(AWS_DEFAULT_REGION) \ 107 | -e prefix=$(prefix) \ 108 | -e account_name=$(account_name) \ 109 | -e aws_env=$(aws_env) \ 110 | $(DOCKER_IMAGE) \ 111 | /bin/bash -c "make deploy-burger-cf" 112 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bakery and Burgers 2 | 3 | Bakery is a centralised AWS identity and access management solution to avoid the duplication of user accounts/policies across multiple AWS accounts. In a nutshell, you just use one AWS account (called Bakery) for managing IAM users and assign right policies to gain access to other AWS account(s) which we call Burgers. 4 | 5 | ## Terminologies 6 | 7 | - Bakery: An AWS Account to manage IAM Users and Groups. 8 | - Burger: An AWS Account where Bakery Users federate into. 9 | - AccessType: Level of access. Defaults are 'Admin', 'PowerUser', 'ReadOnly'. 10 | - Environment Groups: 11 | - These are AWS IAM Groups designated for each environment type. Defaults are 'Prod', 'NonProd', 'Mgmt' (aka Management) 12 | - Environment Groups use 'AccessType' for defining different level of access while forming IAM groups. 13 | 14 | ## Key Concepts 15 | 16 | - IAM Users and IAM Groups are created ONLY in Bakery Account 17 | - IAM Users are members of IAM Groups created in same Bakery Account 18 | - Bakery Account manages various privileged access to Burger Accounts 19 | - IAM policies assigned to IAM Group grants AssumeRole access to associated Burger Role 20 | 21 | ## Architectural overview 22 | 23 | ![architecture](wiki_assets/bakery_assume.png) 24 | 25 | As mentioned in the diagram above 26 | 27 | - The `NonProd Admin Group` is a [Bakery Environment Group](#bakery-environment-groups). A Bakery Environment Group is composed of an IAM Group and a STS Policy that is assigned to the group. The STS Policy gives privilege to assume AdminRole. 28 | - In this example any member in `NonProd Admin Group` can assume AdminRole in any Burger Account that belongs to NonProd Environment Group. 29 | 30 | ## How it works 31 | 32 | Bakery and Burger implementation is nothing but a process of delegating right level of access across multiple AWS accounts as mentioned in this [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html). 33 | 34 | Below are a few key steps which explains the workflow of Bakery 35 | 36 | 1. Firstly, a trust between two AWS accounts i.e. Bakery & Burgers is created. This process involves creation of IAM access policies & IAM roles. 37 | 38 | ![trust](wiki_assets/bakery_trust_burger.png) 39 | 40 | 2. IAM users get created in Bakery account with right level of access. The users can then download AWS access keys from Bakery account. 41 | 42 | ![creds](wiki_assets/iam_download_creds.png) 43 | 44 | 3. Using downloaded AWS credentials, IAM users can assume relevant role in Burger account. 45 | 46 | ![assume role](wiki_assets/iam_assume_role.png) 47 | 48 | ## Quickstart 49 | 50 | 1. Modify configuration/config.yml by adding the data relevant to you. Refer to config [README](configuration/README.md) for more information. 51 | 2. Setup Bakery AWS account 52 | 1. Ensure your Bakery AWS account's credentials are within the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables 53 | 2. Run the following commands from the root of the repo 54 | 55 | ```bash 56 | $ export bakery_cf_bucket= # Must be already created in your Bakery Account 57 | 58 | $ make deploy-bakery-cf-in-docker 59 | ``` 60 | 61 | This process will dynamically create CloudFormation templates and then deploy IAM groups along with policies using the newly created CloudFormation templates. 62 | 3. Setup Burger AWS account 63 | 64 | The below steps need to be run for each Burger account you want to assume roles into. 65 | 66 | 1. Ensure your Burger AWS account's credentials are within the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables 67 | 2. Run following commands from the root of the repo 68 | 69 | ```bash 70 | $ export account_name= # E.g. TestAccount 71 | 72 | $ export aws_env= # E.g. NonProd 73 | 74 | $ make deploy-burger-cf-in-docker 75 | ``` 76 | 77 | This process will dynamically create a CloudFormation template and then deploy IAM roles using the newly created CloudFormation template. 78 | 79 | 4. Create IAM Users in Bakery and grant appropriate access 80 | 1. This is a manual process of creating IAM users in your Bakery AWS Account 81 | 2. Once desired IAM users are created, you must associate them to designated [Environment Groups](#bakery-environment-groups) so that they get appropriate access level while assuming a role into Burger AWS Accounts 82 | 83 | ## Bakery Environment Groups 84 | 85 | Bakery Environment Groups (or Environments) are AWS account groupings. We group accounts depending on workloads, security requirements or account classification. 86 | Each group will have AssumeRole access to ```Access Type``` Roles in Burger Accounts. 87 | 88 | Default Bakery Environment Groups: 89 | * NonProd 90 | * Prod 91 | * Mgmt 92 | 93 | ## Access Types 94 | 95 | Access Types are types of access that a user can assume. 96 | 97 | Default Access Types: 98 | * Admin 99 | * PowerUser 100 | * ReadOnly 101 | 102 | ## CloudFormation Templates 103 | 104 | ### Bakery 105 | 106 | - Has tmpl files which are used to create the CloudFormation templates using config.yml for the source information 107 | - **bakery_stack** is the main stack that calls `bakery_account` and `bakery_env` nested stacks mentioned below 108 | - **bakery_account** is a nested stack created by **bakery_stack** which creates `AdminGroup` and `UserGroup` for managing Bakery Account 109 | - **bakery_env** is a nested stack created by **bakery_stack** which creates IAM Groups and IAM Policies according to Bakery Environment Groups and Access Types. 110 | - IAM User that belongs to the IAM Group will have Access Type privileges to Burger Accounts in the Bakery Environment Groups 111 | 112 | ### Burger 113 | 114 | - Has a tmpl file which is used to create the CloudFormation template using config.yml for the source information 115 | - **burger_account** stack is deployed to each Burger account you want to onboard. By default, it creates three IAM roles in Burger account, i.e. AdminRole, PowerUserRole and ReadOnlyRole. 116 | 117 | ## Customizability and Scalability 118 | 119 | We can scale the solution in three directions 120 | 121 | - Adding Bakery Environment Groups 122 | - Adding Burger Accounts 123 | - Adding Access Types 124 | 125 | # Check Admin Access 126 | 127 | Please view [README](deploy_cloudformation/check_admin_access/README.md) for for more information regarding Check Admin Access. 128 | 129 | # Utils 130 | 131 | Please view [README](utils/README.md) for command line helper tool to assume roles in burger accounts. 132 | -------------------------------------------------------------------------------- /configuration/README.md: -------------------------------------------------------------------------------- 1 | # Config.yml 2 | 3 | Config.yml is the heart of Bakery. This is the central place where you add your configuration details. Details such as AWS environments, AWS accounts, access types, etc. 4 | 5 | Once you have added your details, you can then deploy Bakery and Burger. Deployment involves creating CloudFormation templates, which use config.yml. 6 | 7 | Refer to [Quickstart](../README.md#quickstart) on how to deploy Bakery and Burger. 8 | -------------------------------------------------------------------------------- /configuration/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | -------------------------------------------------------------------------------- /configuration/config.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | TeamName: MyTeam 17 | BillingCode: BC1234 18 | BakeryAccount: "111111111111" 19 | 20 | # Used by Check Admin Access 21 | SlackChannel: "#" 22 | SlackChannelHookUrl: "https://hooks.slack.com/services/" 23 | AdminGroups: " e.g. MyTeamProdAdmin,MyTeamProdPowerUser" 24 | 25 | Environments: 26 | - Environment: NonProd 27 | Accounts: 28 | - Id: "222222222222" 29 | Name: NonProd 30 | - Id: "333333333333" 31 | Name: Stg 32 | - Environment: Prod 33 | Accounts: 34 | - Id: "444444444444" 35 | Name: Prod 36 | 37 | AccessTypes: 38 | - Type: Admin 39 | PolicyArn: arn:aws:iam::aws:policy/AdministratorAccess 40 | - Type: PowerUser 41 | PolicyArn: arn:aws:iam::aws:policy/PowerUserAccess 42 | - Type: ReadOnly 43 | PolicyArn: arn:aws:iam::aws:policy/ReadOnlyAccess 44 | -------------------------------------------------------------------------------- /configuration/initialise_config.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | """ 16 | Module which accesses values from a config file and assigns them to a variable. 17 | """ 18 | from collections import namedtuple 19 | import yaml 20 | 21 | BakeryConfig = namedtuple( 22 | 'BakeryConfig', 23 | [ 24 | 'TeamName', 25 | 'BillingCode', 26 | 'BakeryAccount', 27 | 'SlackChannel', 28 | 'SlackChannelHookUrl', 29 | 'AdminGroups', 30 | 'Environments', 31 | 'AccessTypes' 32 | ] 33 | ) 34 | 35 | def load_config(file_name): 36 | """Loads the yml file. 37 | 38 | Args: 39 | file_name: Filename 40 | """ 41 | with open(file_name) as stream: 42 | try: 43 | return yaml.load(stream) 44 | 45 | except yaml.YAMLError as exc: 46 | print exc 47 | 48 | BAKERY_VARS = BakeryConfig(**load_config('configuration/config.yml')) 49 | -------------------------------------------------------------------------------- /deploy_cloudformation/bakery/templates/bakery_account.tmpl: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | AWSTemplateFormatVersion: "2010-09-09" 17 | Description: Bakery account stack that creates IAM resources that manages Bakery account 18 | 19 | Parameters: 20 | 21 | TeamName: 22 | Description: Team name will be prefixed to all IAM resources 23 | Type: String 24 | 25 | Resources: 26 | 27 | BakeryAdminsGroup: 28 | Type: "AWS::IAM::Group" 29 | Properties: 30 | GroupName: !Sub '${TeamName}AwsBakeryAdmin' 31 | ManagedPolicyArns: 32 | - arn:aws:iam::aws:policy/AdministratorAccess 33 | 34 | BakeryUsersGroup: 35 | Type: "AWS::IAM::Group" 36 | Properties: 37 | GroupName: !Sub '${TeamName}AwsBakeryReadOnly' 38 | ManagedPolicyArns: 39 | - arn:aws:iam::aws:policy/IAMReadOnlyAccess 40 | 41 | BakeryUsersPolicy: 42 | Type: "AWS::IAM::ManagedPolicy" 43 | DependsOn: BakeryUsersGroup 44 | Properties: 45 | Description: This policy will allow group members to manage their passwords and MFA devices 46 | ManagedPolicyName: !Sub '${TeamName}AwsBakeryReadOnly' 47 | PolicyDocument: 48 | Version: "2012-10-17" 49 | Statement: 50 | - Sid: "AllowAllUsersToListAccounts" 51 | Effect: Allow 52 | Action: 53 | - iam:ListAccountAliases 54 | - iam:ListUsers 55 | - iam:GetAccountSummary 56 | Resource: "*" 57 | - Sid: "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation" 58 | Effect: Allow 59 | Action: 60 | - iam:ChangePassword 61 | - iam:CreateAccessKey 62 | - iam:CreateLoginProfile 63 | - iam:DeleteAccessKey 64 | - iam:DeleteLoginProfile 65 | - iam:GetAccountPasswordPolicy 66 | - iam:GetLoginProfile 67 | - iam:ListAccessKeys 68 | - iam:UpdateAccessKey 69 | Resource: 70 | - !Join [ ":", [ "arn:aws:iam:", !Ref "AWS::AccountId", "user/${aws:username}" ] ] 71 | - Sid: "AllowIndividualUserToListOnlyTheirOwnMFA" 72 | Effect: Allow 73 | Action: 74 | - iam:ListVirtualMFADevices 75 | - iam:ListMFADevices 76 | Resource: 77 | - !Join [ ":", [ "arn:aws:iam:", !Ref "AWS::AccountId", "mfa/*" ] ] 78 | - !Join [ ":", [ "arn:aws:iam:", !Ref "AWS::AccountId", "user/${aws:username}" ] ] 79 | - Sid: "AllowIndividualUserToManageTheirOwnMFA" 80 | Effect: Allow 81 | Action: 82 | - iam:CreateVirtualMFADevice 83 | - iam:DeleteVirtualMFADevice 84 | - iam:RequestSmsMfaRegistration 85 | - iam:FinalizeSmsMfaRegistration 86 | - iam:EnableMFADevice 87 | - iam:ResyncMFADevice 88 | - iam:DeactivateMFADevice 89 | Resource: 90 | - !Join [ ":", [ "arn:aws:iam:", !Ref "AWS::AccountId", "mfa/${aws:username}" ] ] 91 | - !Join [ ":", [ "arn:aws:iam:", !Ref "AWS::AccountId", "user/${aws:username}" ] ] 92 | Groups: 93 | - !Ref BakeryUsersGroup 94 | -------------------------------------------------------------------------------- /deploy_cloudformation/bakery/templates/bakery_env.tmpl: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | AWSTemplateFormatVersion: "2010-09-09" 17 | Description: Bakery stack that creates IAM resources that support federation for Environment Burger accounts 18 | 19 | Resources: 20 | 21 | {{groups_policies}} 22 | -------------------------------------------------------------------------------- /deploy_cloudformation/bakery/templates/bakery_stack.tmpl: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | AWSTemplateFormatVersion: "2010-09-09" 17 | Description: Bakery stack that creates IAM resources that support federation for Burger accounts 18 | 19 | Parameters: 20 | 21 | TeamName: 22 | Description: Team name will be prefixed to all IAM resources 23 | Type: String 24 | 25 | CloudFormationS3Bucket: 26 | Description: The S3 bucket which stores the CloudFormation templates for the nested stacks 27 | Type: String 28 | 29 | Resources: 30 | 31 | BakeryAccount: 32 | Type: "AWS::CloudFormation::Stack" 33 | Properties: 34 | TemplateURL: !Sub "https://s3.amazonaws.com/${CloudFormationS3Bucket}/bakery_account.yml" 35 | Parameters: 36 | TeamName: !Ref TeamName 37 | 38 | BakeryEnvironment: 39 | Type: "AWS::CloudFormation::Stack" 40 | Properties: 41 | TemplateURL: !Sub "https://s3.amazonaws.com/${CloudFormationS3Bucket}/bakery_env.yml" 42 | -------------------------------------------------------------------------------- /deploy_cloudformation/burger/templates/burger_account.tmpl: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | AWSTemplateFormatVersion: "2010-09-09" 17 | Description: Burger stack that creates IAM roles that can be federated with Bakery account 18 | 19 | Parameters: 20 | 21 | BakeryAccount: 22 | Description: Bakery AWS account that provides federation for Burger accounts 23 | Type: String 24 | Default: {{bakery_account}} 25 | 26 | AccountName: 27 | Description: Please enter Burger Account Name, e.g. NonProd, Stg, Mgmt, etc 28 | Type: String 29 | 30 | Environment: 31 | Description: Please enter NonProd, Prod or Mgmt 32 | Type: String 33 | AllowedValues: 34 | - NonProd 35 | - Prod 36 | - Mgmt 37 | 38 | Resources: 39 | 40 | {{access_type_roles}} 41 | -------------------------------------------------------------------------------- /deploy_cloudformation/check_admin_access/README.md: -------------------------------------------------------------------------------- 1 | # Check Admin Access 2 | 3 | ## Introduction 4 | 5 | Check Admin Access is an alerting tool which sends a Slack message informing you if there are any AWS IAM users who are members of AWS Admin IAM groups specified in [configuration/config.yml](../../configuration/config.yml). The value of **AdminGroups** within config.yml is used to identify the admin groups. 6 | 7 | We wanted to be alerted of "Principle of least privilege" IAM users who had Admin or PowerUser access to higher environments like Prod or Pre-Prod, and that is why we created this tool. 8 | 9 | This tool will come in handy to detect if any users have "higher access" than they might need. 10 | 11 | You may choose to deploy this tool, but it is not essential. 12 | 13 | ## Deployment 14 | 15 | An ansible playbook together with a CloudFormation template are used to deploy the components needed. The main components are CloudWatch event rule and Lambda function. 16 | 17 | ### Steps to Deploy 18 | 19 | 1. Ensure your Bakery AWS account's credentials are within the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables 20 | 2. Run the following commands from the root of the repo 21 | ```bash 22 | $ export bakery_cf_bucket= # Must be already created in your Bakery Account 23 | 24 | $ make deploy-check-admin-access-cf-in-docker 25 | ``` 26 | -------------------------------------------------------------------------------- /deploy_cloudformation/check_admin_access/check_admin_access.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | """ 16 | Lambda function to send slack message with "noncompliant bakery users" with restricted access 17 | """ 18 | import os 19 | import json 20 | import logging 21 | from urllib2 import Request, urlopen, URLError, HTTPError 22 | 23 | import boto3 24 | 25 | LOGGER = logging.getLogger() 26 | LOGGER.setLevel(logging.INFO) 27 | 28 | def get_non_compliant_users(): 29 | """ Returns list of non compliant users i.e. users attached to restricted groups. 30 | 31 | Returns: 32 | non_compliant_users: list of users attached to restricted groups 33 | """ 34 | iam = boto3.client('iam') 35 | bakery_users = iam.list_users() 36 | non_compliant_users = [] 37 | 38 | for user in bakery_users['Users']: 39 | user_groups = iam.list_groups_for_user(UserName=user['UserName']) 40 | for group in user_groups['Groups']: 41 | if group['GroupName'] in os.environ["adminGroups"].split(","): 42 | non_compliant_users.append(user['UserName']) 43 | 44 | return non_compliant_users 45 | 46 | 47 | def send_slack_notification(non_compliant_users): 48 | """ Send slack notification with non compliant users list if applicable. 49 | 50 | Args: 51 | non_compliant_users: list of users attached to restricted groups 52 | """ 53 | # The Slack channel details to send a message to , are stored in the 54 | # 'slackChannel' and 'slackChannelHookUrl' environment variables 55 | slack_channel = os.environ['slackChannel'] 56 | hook_url = os.environ['slackChannelHookUrl'] 57 | 58 | if non_compliant_users: 59 | non_compliant_users = str(non_compliant_users).replace( 60 | "[", 61 | "" 62 | ).replace( 63 | "]", 64 | "" 65 | ).replace( 66 | "'", 67 | "" 68 | ) 69 | 70 | text = "Following user(s) are members of one of the following groups:\n{}".format( 71 | os.environ["adminGroups"].replace(",", "\n") 72 | ) 73 | 74 | fields = [ 75 | { 76 | 'title': "UserName(s)", 77 | 'value': non_compliant_users 78 | } 79 | ] 80 | color = "warning" 81 | 82 | else: 83 | text = "No Bakery users are members of the following groups:\n{}".format( 84 | os.environ["adminGroups"].replace(",", "\n") 85 | ) 86 | 87 | fields = [] 88 | color = "good" 89 | 90 | slack_message = { 91 | 'channel': slack_channel, 92 | 'attachments': [ 93 | { 94 | 'title': ":burger: Bakery Alert", 95 | 'text': text, 96 | 'color': color, 97 | 'fields': fields 98 | } 99 | ] 100 | 101 | } 102 | 103 | req = Request(hook_url, json.dumps(slack_message)) 104 | 105 | try: 106 | response = urlopen(req) 107 | response.read() 108 | LOGGER.info('Message posted to channel %s: \"%s\"', slack_message['channel'], 109 | slack_message['attachments'][0]['text']) 110 | 111 | except HTTPError as error: 112 | LOGGER.error("Request failed: %d %s", error.code, error.reason) 113 | 114 | except URLError as error: 115 | LOGGER.error("Server connection failed: %s", error.reason) 116 | 117 | 118 | def lambda_handler(event, context): 119 | """Main function. 120 | 121 | Args: 122 | event: Lambda event 123 | context: Lambda context 124 | """ 125 | LOGGER.info("Event: %s", str(event)) 126 | 127 | non_compliant_users = get_non_compliant_users() 128 | 129 | send_slack_notification(non_compliant_users) 130 | -------------------------------------------------------------------------------- /deploy_cloudformation/check_admin_access/check_admin_access.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | AWSTemplateFormatVersion: "2010-09-09" 17 | Description: AWS stack for Checking and notifying users with "Admin acess" (ProdAdmin and ProdPowerUser) to Prod accounts. 18 | 19 | Parameters: 20 | 21 | Prefix: 22 | Description: Environment prefix 23 | Type: String 24 | AllowedPattern: '[a-z0-9-_]*' 25 | ConstraintDescription: "Must be lowercase. Hyphen and numbers allowed. No spaces." 26 | 27 | CheckSum: 28 | Description: Dynamically generated checksum value 29 | Type: String 30 | 31 | LambdaS3Bucket: 32 | Description: The S3 bucket which stores the lambda function python file 33 | Type: String 34 | 35 | SlackChannel: 36 | Description: Slack channel name to send notifications 37 | Type: String 38 | 39 | SlackChannelHookUrl: 40 | Description: Slack Channel Web Hook Url 41 | Type: String 42 | 43 | AdminGroups: 44 | Description: List of Admin groups to check 45 | Type: String 46 | 47 | RetentionInDays: # Using default 48 | Description: The number of days log events are kept in CloudWatch Logs 49 | Type: Number 50 | ConstraintDescription: Must be a valid retention in days Value 51 | Default: 30 52 | 53 | Resources: 54 | 55 | CheckAdminAccessRole: # Role which Lambda will use when executing lambda function triggered by Cloudwatch 56 | Type: AWS::IAM::Role 57 | Properties: 58 | RoleName: !Sub "${Prefix}Bakery-CheckAdminAccess" 59 | ManagedPolicyArns: 60 | - arn:aws:iam::aws:policy/IAMReadOnlyAccess 61 | AssumeRolePolicyDocument: 62 | Version: '2012-10-17' 63 | Statement: 64 | - Effect: Allow 65 | Principal: 66 | Service: 67 | - lambda.amazonaws.com 68 | Action: 69 | - sts:AssumeRole 70 | 71 | LoggingPolicy: # Logging policy for CheckAdminAccessRole 72 | Type: AWS::IAM::ManagedPolicy 73 | DependsOn: CheckAdminAccessRole 74 | Properties: 75 | ManagedPolicyName: !Sub "${Prefix}CheckAdminAccessLogs" 76 | PolicyDocument: 77 | Version: 2012-10-17 78 | Statement: 79 | - Effect: Allow 80 | Action: 81 | - logs:CreateLogGroup 82 | - logs:CreateLogStream 83 | - logs:PutLogEvents 84 | Resource: arn:aws:logs:*:*:* 85 | Roles: 86 | - !Sub "${Prefix}Bakery-CheckAdminAccess" 87 | 88 | CheckAdminAccess: # Lambda function send notifications to Slack 89 | Type: AWS::Lambda::Function 90 | Properties: 91 | FunctionName: !Sub "${Prefix}CheckAdminAccess" 92 | Description: "Python function to send admin users info to Slack" 93 | Handler: check_admin_access.lambda_handler 94 | Role: !GetAtt CheckAdminAccessRole.Arn 95 | Runtime: python2.7 96 | MemorySize: 512 97 | Timeout: 300 98 | Environment: 99 | Variables: 100 | slackChannel: !Ref SlackChannel 101 | slackChannelHookUrl: !Ref SlackChannelHookUrl 102 | adminGroups: !Ref AdminGroups 103 | Code: 104 | S3Bucket: !Ref LambdaS3Bucket 105 | S3Key: !Sub "check_admin_access.${CheckSum}.zip" 106 | 107 | LogGroupCheckAdminAccess: # Log group for Lambda function 108 | Type: "AWS::Logs::LogGroup" 109 | Properties: 110 | LogGroupName: !Sub "/aws/lambda/${Prefix}CheckAdminAccess" 111 | RetentionInDays: !Ref RetentionInDays 112 | 113 | CheckAdminAccessCloudWatchEvent: # Cloudwatch event scheduled to run 9am AEST (10pm GMT) 114 | Type: AWS::Events::Rule 115 | DependsOn: CheckAdminAccess 116 | Properties: 117 | Name: !Sub "${Prefix}CheckAdminAccess" 118 | Description: Triggers the CheckAdminAccess lambda function 119 | ScheduleExpression: "cron(0 22 * * ? *)" 120 | State: ENABLED 121 | Targets: 122 | - Id: "Target1" 123 | Arn: !GetAtt CheckAdminAccess.Arn 124 | 125 | CheckAdminAccessPermission: 126 | Type: AWS::Lambda::Permission 127 | DependsOn: CheckAdminAccess 128 | Properties: 129 | FunctionName: !Sub "${Prefix}CheckAdminAccess" 130 | Action: "lambda:InvokeFunction" 131 | Principal: "events.amazonaws.com" 132 | SourceArn: !GetAtt CheckAdminAccessCloudWatchEvent.Arn 133 | -------------------------------------------------------------------------------- /deploy_cloudformation/deploy_bakery.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | - hosts: localhost 17 | connection: local 18 | 19 | vars: 20 | env: Prod 21 | application: Bakery 22 | launched_by: iam_user 23 | prefix: "" 24 | stack_name: "{{ prefix }}BakeryAccount" 25 | config_file: "../configuration/config.yml" 26 | 27 | tasks: 28 | - name: Include vars from config.yml 29 | include_vars: 30 | file: "{{ config_file }}" 31 | 32 | - name: "Upload CloudFormation templates to s3 bucket" 33 | s3: 34 | bucket: "{{ bakery_cf_bucket }}" 35 | object: "/{{ item }}" 36 | src: "{{ playbook_dir }}/bakery/{{ item }}" 37 | mode: put 38 | region: "{{ REGION }}" 39 | register: s3 40 | until: s3|success 41 | retries: 5 42 | delay: 10 43 | with_items: 44 | - bakery_env.yml 45 | - bakery_account.yml 46 | 47 | - name: "Run main CloudFormation template" 48 | cloudformation: 49 | stack_name: "{{ stack_name }}" 50 | state: present 51 | template: "{{ playbook_dir }}/bakery/bakery_stack.yml" 52 | tags: 53 | Environment: "{{ env }}" 54 | Billing Code: "{{ BillingCode }}" 55 | Application: "{{ application }}" 56 | Launched By: "{{ launched_by }}" 57 | template_parameters: 58 | TeamName: "{{ TeamName }}" 59 | CloudFormationS3Bucket: "{{ bakery_cf_bucket }}" 60 | region: "{{ REGION }}" 61 | 62 | - name: "Get Cloudformation stack info" 63 | cloudformation_facts: 64 | stack_name: "{{ stack_name }}" 65 | register: stack 66 | 67 | - name: "Get Ansible Facts for Cloudformation Stack" 68 | set_fact: 69 | output: "{{ stack.ansible_facts.cloudformation }}" 70 | 71 | - name: "Get Cloudformation Stack Status" 72 | set_fact: 73 | stack_status: "{{ output[item]['stack_description']['stack_status'] }}" 74 | with_items: "{{ stack_name }}" 75 | 76 | - fail: 77 | msg: "Build Failed. Stack status: {{ stack_status }}" 78 | when: 79 | - stack_status != "CREATE_COMPLETE" 80 | - stack_status != "UPDATE_COMPLETE" 81 | -------------------------------------------------------------------------------- /deploy_cloudformation/deploy_burger.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | - hosts: localhost 17 | connection: local 18 | 19 | vars: 20 | env: Prod 21 | application: Bakery 22 | launched_by: iam_user 23 | prefix: "" 24 | stack_name: "{{ prefix }}BurgerAccount" 25 | config_file: "../configuration/config.yml" 26 | 27 | tasks: 28 | - name: Include vars from config.yml 29 | include_vars: 30 | file: "{{ config_file }}" 31 | 32 | - name: "Run main CloudFormation template" 33 | cloudformation: 34 | stack_name: "{{ stack_name }}" 35 | state: present 36 | template: "{{ playbook_dir }}/burger/burger_account.yml" 37 | tags: 38 | Environment: "{{ env }}" 39 | Billing Code: "{{ BillingCode }}" 40 | Application: "{{ application }}" 41 | Launched By: "{{ launched_by }}" 42 | template_parameters: 43 | AccountName: "{{ account_name }}" 44 | Environment: "{{ aws_env }}" 45 | region: "{{ REGION }}" 46 | 47 | - name: "Get Cloudformation stack info" 48 | cloudformation_facts: 49 | stack_name: "{{ stack_name }}" 50 | register: stack 51 | 52 | - name: "Get Ansible Facts for Cloudformation Stack" 53 | set_fact: 54 | output: "{{ stack.ansible_facts.cloudformation }}" 55 | 56 | - name: "Get Cloudformation Stack Status" 57 | set_fact: 58 | stack_status: "{{ output[item]['stack_description']['stack_status'] }}" 59 | with_items: "{{ stack_name }}" 60 | 61 | - fail: 62 | msg: "Build Failed. Stack status: {{ stack_status }}" 63 | when: 64 | - stack_status != "CREATE_COMPLETE" 65 | - stack_status != "UPDATE_COMPLETE" 66 | -------------------------------------------------------------------------------- /deploy_cloudformation/deploy_check_admin_access.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | --- 16 | - hosts: localhost 17 | connection: local 18 | 19 | vars: 20 | env: Prod 21 | application: Bakery 22 | launched_by: iam_user 23 | prefix: "" 24 | stack_name: "{{ prefix }}CheckAdminAccess" 25 | config_file: "../configuration/config.yml" 26 | 27 | tasks: 28 | - name: Include vars from config.yml 29 | include_vars: 30 | file: "{{ config_file }}" 31 | 32 | # Generate new checksum on lambda function change 33 | - stat: 34 | path: "{{ playbook_dir }}/check_admin_access/check_admin_access.py" 35 | get_md5: yes 36 | register: output 37 | 38 | # Get checksum value 39 | - set_fact: 40 | checksum: "{{ output.stat.md5 }}" 41 | 42 | - name: "Create Lambda function zip file" 43 | archive: 44 | path: "{{ playbook_dir }}/check_admin_access/check_admin_access.py" 45 | dest: "{{ playbook_dir }}/check_admin_access/check_admin_access.{{ checksum }}.zip" 46 | format: zip 47 | 48 | - name: "Upload Lambda function zip file to s3 bucket" 49 | s3: 50 | bucket: "{{ bakery_cf_bucket }}" 51 | object: "check_admin_access.{{ checksum }}.zip" 52 | src: "{{ playbook_dir }}/check_admin_access/check_admin_access.{{ checksum }}.zip" 53 | mode: put 54 | region: "{{ REGION }}" 55 | register: s3 56 | until: s3|success 57 | retries: 5 58 | delay: 10 59 | 60 | - name: "Run main CloudFormation template" 61 | cloudformation: 62 | stack_name: "{{ stack_name }}" 63 | state: present 64 | template: "{{ playbook_dir }}/check_admin_access/check_admin_access.yml" 65 | template_parameters: 66 | Prefix: "{{ prefix }}" 67 | CheckSum: "{{ checksum }}" 68 | LambdaS3Bucket: "{{ bakery_cf_bucket }}" 69 | SlackChannel: "{{ SlackChannel }}" 70 | SlackChannelHookUrl: "{{ SlackChannelHookUrl }}" 71 | AdminGroups: " {{ AdminGroups }}" 72 | tags: 73 | Environment: "{{ env }}" 74 | Billing Code: "{{ BillingCode }}" 75 | Application: "{{ application }}" 76 | Launched By: "{{ launched_by }}" 77 | region: "{{ REGION }}" 78 | 79 | - name: "Get Cloudformation stack info" 80 | cloudformation_facts: 81 | stack_name: "{{ stack_name }}" 82 | register: stack 83 | 84 | - name: "Get Ansible Facts for Cloudformation Stack" 85 | set_fact: 86 | output: "{{ stack.ansible_facts.cloudformation }}" 87 | 88 | - name: "Get Cloudformation Stack Status" 89 | set_fact: 90 | stack_status: "{{ output[item]['stack_description']['stack_status'] }}" 91 | with_items: "{{ stack_name }}" 92 | 93 | - fail: 94 | msg: "Build Failed. Stack status: {{ stack_status }}" 95 | when: 96 | - stack_status != "CREATE_COMPLETE" 97 | - stack_status != "UPDATE_COMPLETE" 98 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos:latest 2 | 3 | RUN yum -y install epel-release && \ 4 | yum clean all && \ 5 | yum -y install python-pip make 6 | 7 | RUN pip install --upgrade pip 8 | 9 | COPY docker/requirements.txt . 10 | RUN pip install -r requirements.txt 11 | 12 | WORKDIR /data 13 | 14 | CMD ["/bin/bash"] 15 | -------------------------------------------------------------------------------- /docker/requirements.txt: -------------------------------------------------------------------------------- 1 | ansible==2.5.0 2 | boto3==1.7.4 3 | -------------------------------------------------------------------------------- /python_lib/common.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | """ 16 | Module contains common functions used in other modules. 17 | """ 18 | import os 19 | 20 | def generate_file(file_path, content): 21 | """Creates a file with the specified content. 22 | 23 | Args: 24 | file_path: Path and filename 25 | content: The content to write into the file 26 | """ 27 | path = os.path.dirname(file_path) 28 | 29 | # If the path does not exist, create it 30 | if not os.path.exists(path): 31 | os.makedirs(path) 32 | 33 | # Remove the file if it exists 34 | if os.path.exists(file_path): 35 | print "Removing \"{}\"".format(file_path) 36 | os.remove(file_path) 37 | 38 | with open(file_path, "w") as filer: 39 | filer.write(content) 40 | 41 | def get_template(template_file): 42 | """Gets the content of the file. 43 | 44 | Args: 45 | template_file: Template path and filename 46 | 47 | Returns: 48 | Content of the specified file 49 | """ 50 | template = "" 51 | 52 | with open(template_file) as filer: 53 | template = filer.read() 54 | 55 | return template 56 | -------------------------------------------------------------------------------- /python_lib/create_bakery_env_cf.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | """ 16 | Module for creating the bakery environment CloudFormation file. 17 | """ 18 | import os 19 | import common 20 | from configuration.initialise_config import BAKERY_VARS 21 | 22 | TEMPLATE_SOURCE = os.environ["LOCATION_CORE"] + \ 23 | "/deploy_cloudformation/bakery/templates/bakery_env.tmpl" 24 | 25 | TEMPLATE_DESTINATION = os.environ["LOCATION_CORE"] + "/deploy_cloudformation/bakery/bakery_env.yml" 26 | 27 | def get_roles(environment, access_type): 28 | """Gets the role arns for the specified environment and access type. 29 | 30 | Args: 31 | environment: Environment, e.g. NonProd, Prod, Stg 32 | access_type: Access type, e.g. Admin, PowerUser, ReadOnly 33 | 34 | Returns: 35 | String with the role arns 36 | """ 37 | roles = "" 38 | 39 | for account in environment["Accounts"]: 40 | if roles: 41 | roles += "\n" 42 | 43 | roles += "{}- arn:aws:iam::{}:role/{}-{}-{}".format( 44 | " " * 14, 45 | account["Id"], 46 | account["Name"], 47 | environment["Environment"], 48 | access_type 49 | ) 50 | 51 | return roles 52 | 53 | def get_groups_policies(): 54 | """Gets the CloudFormation snippet for IAM groups and IAM managed policies. 55 | 56 | Returns: 57 | String with the CloudFormation snippet for IAM groups and IAM policies. 58 | """ 59 | groups_policies = "" 60 | 61 | for environment in BAKERY_VARS.Environments: 62 | for access_type in BAKERY_VARS.AccessTypes: 63 | snippet = \ 64 | """ Group{1}{2}: 65 | Type: AWS::IAM::Group 66 | Properties: 67 | GroupName: {0}{1}{2} 68 | 69 | """.format(BAKERY_VARS.TeamName, environment["Environment"], access_type["Type"]) 70 | 71 | snippet += \ 72 | """ Policy{1}{2}: 73 | Type: AWS::IAM::ManagedPolicy 74 | Properties: 75 | ManagedPolicyName: {0}{1}{2} 76 | Description: This policy allows to assume a role 77 | Groups: 78 | - !Ref Group{1}{2} 79 | PolicyDocument: 80 | Version: "2012-10-17" 81 | Statement: 82 | - Effect: Allow 83 | Action: sts:AssumeRole 84 | Resource: 85 | __roles__ 86 | 87 | """.format( 88 | BAKERY_VARS.TeamName, 89 | environment["Environment"], 90 | access_type["Type"] 91 | ).replace( 92 | "__roles__", 93 | get_roles(environment, access_type["Type"]) 94 | ) 95 | 96 | groups_policies += snippet 97 | 98 | return groups_policies 99 | 100 | def main(): 101 | """Main function.""" 102 | template = common.get_template(TEMPLATE_SOURCE).replace( 103 | "{{groups_policies}}", 104 | get_groups_policies() 105 | ) 106 | 107 | common.generate_file(TEMPLATE_DESTINATION, template) 108 | 109 | if __name__ == "__main__": 110 | main() 111 | -------------------------------------------------------------------------------- /python_lib/create_burger_account_cf.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | """ 16 | Module for creating the burger account CloudFormation file. 17 | """ 18 | import os 19 | import common 20 | from configuration.initialise_config import BAKERY_VARS 21 | 22 | TEMPLATE_SOURCE = os.environ["LOCATION_CORE"] + \ 23 | "/deploy_cloudformation/burger/templates/burger_account.tmpl" 24 | 25 | TEMPLATE_DESTINATION = os.environ["LOCATION_CORE"] + \ 26 | "/deploy_cloudformation/burger/burger_account.yml" 27 | 28 | def get_access_type_roles(): 29 | """Gets the CloudFormation snippet for IAM roles. 30 | 31 | Returns: 32 | String with the CloudFormation snippet for IAM roles. 33 | """ 34 | access_type_roles = "" 35 | 36 | for access_type in BAKERY_VARS.AccessTypes: 37 | snippet = \ 38 | " Role" + access_type["Type"] + """: 39 | Type: AWS::IAM::Role 40 | Properties: 41 | AssumeRolePolicyDocument: 42 | Statement: 43 | - Effect: Allow 44 | Principal: 45 | AWS: !Sub "arn:aws:iam::${BakeryAccount}:root" 46 | Action: sts:AssumeRole 47 | RoleName: !Sub "${AccountName}-${Environment}-""" + access_type["Type"] + "\"\n" + \ 48 | """ ManagedPolicyArns: 49 | - """ + access_type["PolicyArn"] + "\n\n" 50 | 51 | access_type_roles += snippet 52 | 53 | return access_type_roles 54 | 55 | def main(): 56 | """Main function.""" 57 | template = common.get_template(TEMPLATE_SOURCE).replace( 58 | "{{bakery_account}}", 59 | BAKERY_VARS.BakeryAccount 60 | ).replace( 61 | "{{access_type_roles}}", 62 | get_access_type_roles() 63 | ) 64 | 65 | common.generate_file(TEMPLATE_DESTINATION, template) 66 | 67 | if __name__ == "__main__": 68 | main() 69 | -------------------------------------------------------------------------------- /utils/README.md: -------------------------------------------------------------------------------- 1 | # Assume Role Script 2 | 3 | ## Run Bootstrap 4 | 5 | This will create the bash script for assuming roles in burger accounts. Based on your credentials, it will dynamically query what roles you can assume and creates the `assume.sh` bash script for day to day use. 6 | 7 | Ensure your Bakery AWS account's credentials are in the default section of `~/.aws/credentials`. 8 | 9 | ```bash 10 | $ make bootstrap-assume-script 11 | ``` 12 | 13 | > **Rerun bootstrap if your permissions have been changed in Bakery** 14 | 15 | ## Use assume.sh 16 | 17 | ```bash 18 | $ source assume [-h] {number} 19 | ``` 20 | 21 | ## Example 22 | 23 | * `source assume` 24 | * `source assume 0` 25 | * `source assume -h` 26 | -------------------------------------------------------------------------------- /utils/bootstrap_assume_script.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Insurance Australia Group Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | import boto3 16 | BAKERY_ENV_GROUPS = ['NonProd', 'Prod', 'Mgmt'] 17 | 18 | ASSUME_TEMP = """ 19 | #!/bin/bash 20 | #set -e 21 | 22 | if [ "$1" == "-h" ]; then 23 | echo "usage: source assume.sh [-h] {{number}} 24 | example: 25 | * source assume.sh 26 | * source assume.sh 0 27 | * source assume.sh -h 28 | where: 29 | {{number}} role number (optional) 30 | -h show this help text" 31 | return 32 | fi 33 | if [ "$#" -gt 0 ]; then 34 | user_option=$1 35 | else 36 | user_option="" 37 | fi 38 | roles=() 39 | role_num="" 40 | 41 | get_roles(){{ 42 | roles=({0}) 43 | }} 44 | 45 | interactivly_pick_role(){{ 46 | echo "Roles Available To Assume:" 47 | for i in "${{!roles[@]}}"; do 48 | printf "%s\t%s\\n" "$i" "${{roles[$i]}}" 49 | done 50 | echo Pick a role: 51 | read role_number 52 | role_num=$role_number 53 | }} 54 | 55 | assume_role(){{ 56 | local temp_role=$(aws sts assume-role --role-arn ${{roles[$1]}} --role-session-name assumeRoleSession --query Credentials.[AccessKeyId,SecretAccessKey,SessionToken] --output text) 57 | 58 | [ "$temp_role" ] || {{ echo "aws sts assume-role failed" ; return; }} 59 | 60 | export AWS_ACCESS_KEY_ID=$(echo $temp_role | awk '{{print $1}}') 61 | export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | awk '{{print $2}}') 62 | export AWS_SESSION_TOKEN=$(echo $temp_role | awk '{{print $3}}') 63 | 64 | env | grep -i AWS_ 65 | }} 66 | 67 | clean_up(){{ 68 | unset user_option 69 | unset role_num 70 | unset roles 71 | }} 72 | 73 | pick_role(){{ 74 | get_roles || {{ echo "get_roles failed" ; return; }} 75 | 76 | re='^[0-9]+$' 77 | if ! [[ $user_option =~ $re ]] ; then 78 | interactivly_pick_role || {{ echo "interactivly_pick_role failed" ; return; }} 79 | else 80 | role_num=$user_option 81 | fi 82 | assume_role $role_num || {{ echo "assume_role failed" ; return; }} 83 | }} 84 | 85 | pick_role || {{ echo "pick_role failed" ; return; }} 86 | clean_up || {{ echo "clean_up failed" ; return; }} 87 | """ 88 | 89 | class AssumeRoleGenerator(object): 90 | 91 | def __init__(self): 92 | self._client = boto3.client("iam") 93 | self._resource = boto3.resource("iam") 94 | 95 | def generate_assume_role_script(self): 96 | """ 97 | This method generates the bash script to assume role 98 | """ 99 | with open('assume.sh', 'w') as filer: 100 | filer.write(self.generate_file(self.get_roles())) 101 | 102 | def generate_file(self, roles): 103 | return ASSUME_TEMP.format(" ".join(roles)) 104 | 105 | def get_roles(self): 106 | username = self.get_username() 107 | groups = self.get_groups(username) 108 | return self.get_assume_roles(groups) 109 | 110 | def get_username(self): 111 | return self._client.get_user().get('User', {}).get('UserName') 112 | 113 | def get_groups(self, username): 114 | return self._resource.User(username).groups.all() 115 | 116 | def get_assume_roles(self, groups): 117 | docos = [ 118 | self.get_policy_doco(p.arn, p.default_version_id) 119 | for g in self.get_bakery_group(groups.all()) 120 | for p in g.attached_policies.all() 121 | ] 122 | return self.get_roles_from_docos(docos) 123 | 124 | def get_policy_doco(self, arn, doco_version): 125 | return self._client.get_policy_version( 126 | PolicyArn=arn, 127 | VersionId=doco_version 128 | ) \ 129 | .get('PolicyVersion', {}) \ 130 | .get('Document') 131 | 132 | def get_bakery_group(self, groups): 133 | matchers = map(self.to_pascal_case, BAKERY_ENV_GROUPS) 134 | return [ 135 | g 136 | for g in groups 137 | if any(xs in g.arn for xs in matchers) 138 | ] 139 | 140 | def get_roles_from_docos(self, docos): 141 | return self.flatten_list([ 142 | self.get_resources_from_statement(r.get('Statement')) 143 | for r in docos 144 | ]) 145 | 146 | def get_resources_from_statement(self, statements): 147 | return self.flatten_list([s.get('Resource') for s in statements]) 148 | 149 | def flatten_list(self, init_list): 150 | return [ 151 | item 152 | for sublist in init_list 153 | for item in sublist 154 | ] 155 | 156 | def to_pascal_case(self, snake_str): 157 | components = snake_str.split('_') 158 | return "".join(x.title() for x in components) 159 | 160 | if __name__ == "__main__": 161 | AssumeRoleGenerator().generate_assume_role_script() 162 | -------------------------------------------------------------------------------- /wiki_assets/bakery_assume.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iagcl/bakery/c92c69cfdb6859a838db8cee2489eb7fcf8c69fa/wiki_assets/bakery_assume.png -------------------------------------------------------------------------------- /wiki_assets/bakery_trust_burger.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iagcl/bakery/c92c69cfdb6859a838db8cee2489eb7fcf8c69fa/wiki_assets/bakery_trust_burger.png -------------------------------------------------------------------------------- /wiki_assets/iam_assume_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iagcl/bakery/c92c69cfdb6859a838db8cee2489eb7fcf8c69fa/wiki_assets/iam_assume_role.png -------------------------------------------------------------------------------- /wiki_assets/iam_download_creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iagcl/bakery/c92c69cfdb6859a838db8cee2489eb7fcf8c69fa/wiki_assets/iam_download_creds.png --------------------------------------------------------------------------------