Doesn't the client still need to know a long-lived secret (or a long-lived refresh token) in order to generate the ephemeral credentials?

One of the major benefits of ephemeral tokens is that they become less attractive to put into the code, and more attractive to put in a config file/vault that's easier to update and keep secret. This in itself is useful because it makes it less likely that it will be in some source file someone shows, or pushed to some remote repo that at some point has permissions allowed so people can see it.

We got rid of all IAM users used by applications and moved to role-based access. Nowhere in the application do you need to enter AWS credentials. AWS SDK will attempt to discover short-lived credentials for you and will assume the role specified at the infrastructure layer, e.g. in a task definition.

same here, but we still have IAM Users for service accounts. E.g. some customers have on premise infra that needs to talk to our services of infrastructure.

Do you know a way where RBAC can be used for the above?

For us, we're using long lived credentials in this space using IAM Users but with very tightly controlled authorisations.

"IAM Roles Anywhere" was announced just a couple of weeks ago. It might be applicable to your case.

https://aws.amazon.com/about-aws/whats-new/2022/07/aws-ident...

For my dev machine's interactions with AWS, I use https://github.com/99designs/aws-vault

You add the long lived IAM user API key/secret to it and it stores it in a password protected storage (MacOS keychain or similar).

Then you invoke aws-vault with an IAM role and command, and it will handle obtaining short-lived credentials scoped to that role (including TOTP 2-factor code auth), and then run the command with those temporary credentials as env vars.

With the right AWS permissions on your user, it can also automatically rotate the IAM user API keys for you.

I like your approach. So far I used profiles extensively. AWS_PROFILE is your friend. No idea why AWS doesn't heavily promote this everywhere they can.

AWS best practices is to use AWS SSO, which accomplishes this same effect but without any long-lived local credentials. It works really well.

Depending on your IdP there's a few tools in addition to AWS CLI v2 that works well in this space.

aws-vault is one of them, though out of support now, aws-okta [1] is another.

[1] https://github.com/segmentio/aws-okta

Used to use that a few years ago and it worked pretty well--you can also set it as a credential helper in your AWS config.

Just an FYI it's no longer supported and it looks like the fork has gone stagnant, too.

> No idea why AWS doesn't heavily promote this everywhere they can.

Not Invented Here

AWS SSO solves it better, and for any number of AWS accounts.

I still use aws-vault, though, when I'm not in a position to set up AWS SSO.

It can either use a secret injected into an env var to bootstrap rotating ephemeral/refresh tokens or use a role provided by the environment (which can also provide short lived tokens), depending on your runtime environment and use case (on prem, cloud, k8s, etc).

Static, long lived secrets with limited governance that have no conditional access guards are weapons of mass self destruction.

Keeping secrets in environmental variables has always seemed dodgy to me. Unless specifically cleared, they get inherited by all child processes. Maybe there are never any child processes in your application, or that could be desired behavior in some circumstances, but generally it seems like asking for trouble.

Its safety is proportional to your isolation model. Never use env vars for secrets when you’re executing arbitrary code, for example.

There's also the reverse issue - if they change after your process is started.

Refreshing an environment variable that has changed is (for me) a line I won't cross. Time to write the app a different way, once that becomes a concern.

Yes, but credentials should either be long lived with (very) limited scope _or_ short lived with required scope.

For example, for AWS you can create long lived credentials for users which are scoped to only allow one operation, namely obtaining a short lived token (with the aid of a hardware token such as a Yubikey) with scope to perform other operations.

AWS guide here: https://aws.amazon.com/blogs/security/enhance-programmatic-a...

You may also setup federated (trusted) relationships. For example, a GitHub Workflow can be trusted to assume an IAM role. In that scenario, there's no long lived secret in scope.

The oidc subject includes the GitHub org, repo, branch, and environment for the IAM assume role policy to match or filter.

I never heard about "ephemeral credentials" before your post. I have some Googling to do!

The other term of art is “dynamic secrets.”

https://www.vaultproject.io/use-cases/dynamic-secrets

Good lookin out, thanks for the link

It's essentially an access token with a very short expiry time.

This is not at all the takeaway from this. It's "this shitty developer should not have had access to this data in the first place". With a nuance of "this database probably shouldn't exist in this form in one place to begin with".

Speaking as an Asian American, no, let's not do that.

Ok; could you suggest an alternate? Would be handy to have a shorthand to refer to the incident

How you come up with a name is up to you and how you use it. Personally I would go with "July 2022 Shanghai National Police database leak" because I'm not having any conversation where a cute codename would be less confusing.

At work we codename security issues we are working on for Slack channels, etc. We use unrelated names that you could get from a name generator.

not their job. How about you come up with something catchy?

Shanghai'd is already a phrase that means something else, anyways.