Wednesday, June 18, 2014

Uploading SSL certificates on ELB through AWS CLI without providing console access

In certain situations (like when you are hosting sites for your customer) you may not want your customers to send you their SSL certificates and private keys for security reasons. Best practices dictate that private keys reside with the customers. In other cases, you could be hosting a site that your customers wants to CNAME to on their DNS server. Under those conditions, you don't want to handle customer's SSL certificates and private keys. You could follow the steps below to have the upload the certs


  • Create a temporary IAM user in your customer called "temp-cert-user" and assign the below custom IAM policy:-


{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": ["iam:*AccessKey*"],
   "Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:*"
  },
  {
   "Effect": "Allow",
   "Action": ["iam:UploadServerCertificate"],
   "Resource": "arn:aws:iam::*"
  }
 ]
}


  • Next, ask your customer to install AWS CLI 
  • From the customer's machine, ask them to add the AWS_ACCESS_KEY and AWS_SECRET_KEY in $HOME/.aws/config file
  • Next, they can execute the below command

$aws iam --profile <profile>  upload-server-certificate --server-certificate-name test-cert --certificate-body file://testcert.pem --private-key file://testcertkey.pem --certificate-chain file://testcert.pem
{
    "ServerCertificateMetadata": {
        "Path": "/",
        "Arn": "arn:aws:iam::<AWS_ACCOUNT_ID>:server-certificate/test-cert",
        "ServerCertificateId": "ASC....QN7B4",
        "ServerCertificateName": "test-cert",
        "UploadDate": "2014-06-18T17:34:16.567Z"
    }
}
  • Now they can check if the certificate got upload by using get-server-certificate command
C:\certs>aws iam --profile tempcert get-server-certificate --server-certificate-name test-cert
{
    "ServerCertificate": {
        "CertificateChain": "-----BEGIN CERTIFICATE-----
                                        -----END CERTIFICATE-----",
        "CertificateBody": "-----BEGIN CERTIFICATE-----
                                        -----END CERTIFICATE-----",
        "ServerCertificateMetadata": {
            "Path": "/",
            "Arn": "arn:aws:iam::<AWS_ACCOUNT_ID:server-certificate/test-cert",
            "ServerCertificateId": "ASC...QN7B4",
            "ServerCertificateName": "test-cert",
            "UploadDate": "2014-06-18T17:34:16Z"
        }
    }
}

NOTE - For allowing temp-cert-user to have get-server-certificate and delete-server-certificate authorization, you have to modify the IAM policy to include the below:-

{
   "Effect": "Allow",
   "Action": ["iam:GetServerCertificate"],
   "Resource": "arn:aws:iam::*"
  },
  {
   "Effect": "Allow",
   "Action": ["iam:DeleteServerCertificate"],
   "Resource": "arn:aws:iam::*"
  }

1 comment: