top | item 46501711

Show HN: Forwarding cloud credentials to remote machines in SSH-agent style

2 points| yuedongze | 1 month ago |github.com

I’m in the process of making my remote development environments truly secret-less. It means nothing sensitive is on the remote machine when I’m not using them. Access to all things becomes ephemeral only during an active session.

First step is applying the plain old ssh-agent forwarding for my GitHub credentials and anything that relies on remotely signing using a private key.

However, this is not the last step, as a lot of credentials are not backed by private keys, but rather OAuth credentials that doesn’t fit in the agent forwarding framework SSH provides.

Therefore, I coded up a dead simple tool that just reads those cloud credentials using existing tooling, and forwards them over a SSH session so they can be fetched on-demand. I’m glad that cloud tools all support this external credential route so it’s really effortless to set this all up.

AWS works as of now, GCP should also be relatively straightforward once I figure out account impersonation from an exported credentials.

Thought it would be interesting to share!

1 comment

oriettaxx|1 month ago

interesting subject, but I cannot what you mean by "truly secret-less".

With an ordinary SSH with a private public key in .ssh it is, isn't? but you want to allow cloud credentials, so you do not want (you consider it a secret) have a certificate in remote machines (as I do with cloudflare warp)