jfmonty2/creddy
2
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 12 Wiki Activity
Low-friction AWS credentials manager
146 Commits 11 Branches 18 Tags 4.8 MiB
Rust 63.4%
Svelte 34.2%
JavaScript 2.1%
HTML 0.2%
CSS 0.1%
a32e36be7e
Go to file
Joseph Montanaro a32e36be7e fix RSA key signatures
2024-07-04 21:57:27 -04:00
doc update todo 2024-05-08 11:37:07 -04:00
src fix RSA key signatures 2024-07-04 21:57:27 -04:00
src-tauri fix RSA key signatures 2024-07-04 21:57:27 -04:00
.gitignore start working on generalizing credential logic 2024-06-16 07:08:10 -04:00
index.html start refactoring for default credentials 2024-06-26 11:10:50 -04:00
package-lock.json start refactoring for default credentials 2024-06-26 11:10:50 -04:00
package.json fix RSA key signatures 2024-07-04 21:57:27 -04:00
postcss.config.js initial commit 2022-08-15 20:37:23 -07:00
README.md update readme because why not 2022-11-30 16:04:14 -08:00
tailwind.config.js fix permissions errors and terminal launching 2024-06-29 20:42:51 -04:00
vite.config.js initial commit 2022-08-15 20:37:23 -07:00

README.md

Creddy: Low-friction AWS credential helper

Security at the expense of usability comes at the expense of security. - Avi Douglen

Creddy is an AWS credential helper that focuses on improving security without interrupting your workflow (much). It works by mimicking the AWS Instance Metadata Service and requesting your approval before granting any application access to your AWS credentials. Additionally, the credentials it hands out are short-lived session credentials rather than long-lived credentials, meaning that even if they are compromised, the damage that the attacker can do is limited.

What was wrong with all the existing AWS credential managers?

Most other AWS credential managers that I have seen differ in two ways.

First, they require the user to be proactive instead of reactive, i.e. you must remember "this command will require AWS credentials" and invoke it in some special way. By contrast, Creddy waits patiently in the background until an application requests credentials, then asks for your approval before proceeding. In most cases, this requires only a couple of keystrokes, after which your original operation continues as invoked. This completely prevents the frustrating workflow of:

$ aws do-something-interesting
...
...
Unable to locate credentials. You can configure credentials by running "aws configure".
# a deep sigh of the most profound resignation
$ with-aws-credentials aws do-something-interesting

Second, other credential managers are mostly backed by the system credential store. While this may sound like a good idea, it has a critical weakness: By default, on most systems, a user's credentials are accessible to any process running as that user. In other words, if your quick nodejs script happens to depend on a compromised module, congratulations: you have just given that module access to your AWS account.

By contrast, Creddy encrypts your main long-lived AWS credentials with a passphrase (using libsodium's SecretBox) and, importantly, does not store that passphrase. Although this means that you, the user, must re-enter the passphrase every time Creddy needs to generate a new session, this is normally only necessary about once per day. In my own opinion, this is a worthwhile tradeoff.