Waf Charm

Blog

WafCharm

How to switch to AssumeRole from access key/secret key

Table of Contents

  1. 1. Introduction
  2. 2. What is AssumeRole?
  3. 3. What is Credential Store?
  4. 4. Credential information before switching method
  5. 5. Prepare credential information for AssumeRole
  6. 6. Change Web ACL Config/Web Site Config
  7. 7. Conclusion

1. Introduction

We released Credential Store feature on 03/23/2023 (JST).
You can now use AssumeRole to give permissions to WafCharm in addition to the access key/secret key method we've been providing.

In this blog post, we will take a look at how to switch the authentication method from access key/secret key to AssumeRole for those who are already using WafCharm.

*With this release, the access key/secret key method is no longer recommended. We recommend using AssumeRole from now on.

2. What is AssumeRole?

AssumeRole publishes a temporary credential to give permissions to AWS resources.
It allows you to provide access permissions without giving out the access key/secret key.

AssumeRole - AWS Security Token Service

3. What is Credential Store?

Credential Store is a WafCharm feature that allows users to register credential information such as the ARN of the role to perform AssumeRole and access key/secret key.

Apart from the list of registered credential information, you can also see which Web ACL Config/Web Site Config is using which credential information.

Credential information can be registered from Credential Store, Web ACL Config, and Web Site Config.
*You need to prepare role ARN or access key/secret key beforehand.

Reference: About Credential Store

4. Credential information before switching method

If you are already using WafCharm, you have been using access key/secret key.
The registered information has been automatically incorporated into the Credential Store feature, and is registered with a name like "access_key."

Web ACL Config and Web Site Config also reference the registered access key/secret key.

To switch to AssumeRole, you first need to register Credential Store for AssumeRole and then change the referenced Credential Store in Web ACL Config/Web Site Config to the information for AssumeRole.

5. Prepare credential information for AssumeRole

If you want to switch to AssumeRole from access key/secret key, you need to create a role and register the information on WafCharm dashboard.

Below is the overall procedure.
For a detailed procedure on how to navigate in the AWS management console, please refer to About AssumeRole configuration and IAM policy.
*The blog post above is based on creating a new Web ACL Config, but the overall steps are the same.

1. Create a role in the AWS management console.

2. Register the ARN of the created role in WafCharm dashboard

Below is the information to enter in the dashboard.

  • Name: enter the name of the credential information (for management purposes)
  • Type: select Assume Role
  • Assume Role ARN: paste the ARN of the created role

3. Copy the Trust Policy provided by WafCharm and update the trust policy of the relevant role in the AWS management console.

Click on the Copy button to copy the JSON format Trust Policy provided by WafCharm.

4. Validate on the WafCharm dashboard.

Validate the credential on the WafCharm dashboard once you've saved the trust policy in the AWS management console.

The validation will fail if the trust policy in the AWS management console is not updated and WafCharm will not be able to apply the rules.

Please note that depending on the time it takes to reflect changes in the AWS management console, validation may fail even if you have updated the trust policy in AWS. In such a case, please wait for a little and then try validating again.
You will be taken back to the Credential Store page when you fail validation. If you want to revalidate your credential information, click the Validate button on the detail page of your Credential Store record.


5. Click the OK button to get back to the Credential Store page.

If the name of the registered credential information is shown on the page and the state is "Validated," the configuration is complete. Your resources can be authenticated by selecting the registered credential (in this case, WafCharm-test in the screenshot) in the Web ACL Config or Web Site Config.

6. Change Web ACL Config/Web Site Config

Once you have registered the credential to perform AssumeRole, you need to apply the changes to Web ACL Config and Web Site Config as well.

1. Click the name of the target Web ACL Config on the Web ACL Config page.

2. Click the Edit button.

3. Select the name of the registered credential information under the Credential Store and click the Save button.

4. Click the OK button when you've edited the Web ACL Config.

5. Open the Web Site Config page from the menu at the top of the screen and click the Setting button on the right side of the Web Site Config name you want to edit.

You can also click the FQDN of the Web Site Config to open the detail page to edit your Web Site Config.

6. Select the credential information name from the Credential Store dropdown menu and click the Save button.

*If you want to use a different credential information, you can select a different credential name.
*If you want to add new credential information, click the Add button on the right. For details on how to add new credential information, refer to About AssumeRole configuration and IAM policy.

7. Click the OK button when you've finished editing the Web Site Config.

When you've switched the credential information and you are not using the existing access key/secret key, you can delete the credential record.

To delete the credential record, open the detail page of the credential information on the Credential Store page and click the Delete button.

7. Conclusion

With the Credential Store feature release, you can use AssumeRole in addition to the existing access key/secret key method.

Some of you may be able to stop maintaining the access key/secret key by switching to AssumeRole.

We will continue to update and enhance WafCharm features.