HackerTrans
TopNewTrendsCommentsPastAskShowJobs

cnuss

no profile record

Submissions

Show HN: Deploy Hugging Face Models to AWS Lambda

github.com
1 points·by cnuss·2 वर्ष पहले·0 comments

Show HN: Run a Python Flask HTTP Server in AWS Lambda (w/Poetry)

github.com
3 points·by cnuss·2 वर्ष पहले·4 comments

Show HN: Run a Rust HTTP Server in AWS Lambda (Axum+Scaffoldly)

github.com
8 points·by cnuss·2 वर्ष पहले·0 comments

Show HN: Deploy Next.js Apps to AWS Lambda

scaffoldly.dev
14 points·by cnuss·2 वर्ष पहले·3 comments

Show HN: Tokenless Authentication to Kubernetes

docs.saml.to
1 points·by cnuss·3 वर्ष पहले·0 comments

Show HN: Get AWS Credentials in GitHub Codespaces

github.com
25 points·by cnuss·4 वर्ष पहले·0 comments

Ask HN: GitHub Actions Architecture for Workflow Orchestration?

4 points·by cnuss·4 वर्ष पहले·0 comments

Show HN: An easy way to assume AWS IAM roles on your Laptop or in GitHub Actions

saml.to
1 points·by cnuss·4 वर्ष पहले·2 comments

Show HN: Launch Localstack “as a service” with automatic termination

eph.dev
2 points·by cnuss·4 वर्ष पहले·0 comments

Show HN: TFstate.dev: Free Terraform State Storage Service Using a GitHub Token

github.com
3 points·by cnuss·4 वर्ष पहले·0 comments

Show HN: Stop Putting AWS Credentials in GitHub Secrets

github.com
88 points·by cnuss·4 वर्ष पहले·29 comments

Show HN: Saml.to: I've Turned GitHub into a SAML Identity Provider

saml.to
23 points·by cnuss·5 वर्ष पहले·6 comments

Show HN: Scaffoldly – Serverless APIs on AWS, in Minutes

start.scaffold.ly
26 points·by cnuss·5 वर्ष पहले·5 comments

Ask HN: Is there a create-react-app option that does as much as ngx-rocket?

1 points·by cnuss·5 वर्ष पहले·3 comments

Show HN: Dotenv-out: Combine .env file(s) into TypeScript/Shell/Dotenv formats

github.com
1 points·by cnuss·5 वर्ष पहले·0 comments

Poll/Discussion: What's consumed the most time getting started?

1 points·by cnuss·5 वर्ष पहले·0 comments

comments

cnuss
·2 वर्ष पहले·discuss
It's not publicly accessible, per-se..., there's a reverse proxy I've written

1. There's a Function URL that then creates a Lambda HTTP Event

2. There's a reverse proxy in the container that converts the Lambda HTTP Event back into a HTTP Request

3. Then the HTTP Respose is transformed back into a Lambda HTTP Event Response

@billconan if you'd like, join my Discord and I'd be happy dive into details and/or provide more docs: https://scaffoldly.dev/community
cnuss
·2 वर्ष पहले·discuss
Yup! Change the `handler` and `start` command:

``` handler = "localhost:5000" ... start = "poetry run flask --app flask_poetry run -p 12345" ```
cnuss
·2 वर्ष पहले·discuss
thanks don! here's the GH discussion on this topic: https://github.com/scaffoldly/scaffoldly/discussions/17
cnuss
·4 वर्ष पहले·discuss
thanks for the question!

this completely eliminates the need to juggle ~/.aws/* files, or downloading or generation of one or more web identity token files, or complicated trust to a single root account

using a single GitHub token identifying the user, the saml.to backend exchanges that token for the desired account and credentials simply based on providing the desired role name as input

zero knowledge on how to authenticate the aws cli is necessary, which I've found as a high friction point for administrators and developers to get right

let me know if you have any more questions or feedback!
cnuss
·4 वर्ष पहले·discuss
The GitHub token that is used is a short-lived token that is generated new every time a GitHub action is run.

Ref: https://docs.github.com/en/actions/security-guides/automatic...

And the SAML.to backend first checks to make sure the token is valid by invoking:

Ref: https://docs.github.com/en/rest/reference/apps#list-reposito...

I haven't checked, but I assume GitHub invalidates the token when the GitHub Action finishes
cnuss
·4 वर्ष पहले·discuss
hey hatware!

is that a question/comment for me?
cnuss
·4 वर्ष पहले·discuss
Thanks mdaniel for your observations!

I updated package.json!

On the note of the API endpoint. Yes that's correct, I've fashioned a backend API which handles converting of GitHub Repo Tokens to SAML Assertions: https://sso.saml.to/github/swagger.html#/IDP/AssumeRoleForRe...

And providing a static endpoint for SAML Metadata: https://saml.to/metadata

That being said, you're making my brain click a little bit and this could be converted into a "self contained" toy, with some additional work! The biggest piece of the puzzle is a consistent private key and certificate.

If that is of interest to you, could you create a GitHub Issue as a feature request?

Thanks!
cnuss
·4 वर्ष पहले·discuss
Thanks for the feedback SahAssar, sorry if the title caused any latent anxiety!

I'll heed your advice for the next time I post something on HN, thank you!
cnuss
·4 वर्ष पहले·discuss
They're both Identity Protocols, SAML is older and more widely adopted, OIDC is newer. Kinda the XML vs JSON battle at a Protocol level haha!

I've found a lot of SaaS providers only support SAML today, so you're stuck if you want to use GitHub identity outside of OIDC.
cnuss
·4 वर्ष पहले·discuss
This is awesome! thank you!
cnuss
·4 वर्ष पहले·discuss
Hey zomglings!

I'll echo what I just responded to nodesocket with, but I'd also love your feedback on my comment:

https://news.ycombinator.com/item?id=29986209
cnuss
·4 वर्ष पहले·discuss
Totally agree re: complexity. My goal is that a few config steps in a GitHub repository and AWS makes a GitHub action able to do a wide variety of things (such as accessing multiple accounts) with very little upstart work.

Storing Secrets in GitHub isn't technically insecure, and it's awesome it's provided as a free feature, but it's tedious and fragile. Someone (or something has to do various clicks and copy/pastes or API calls) to upload an access key into GitHub Secrets. It gets even worse if you have multiple accounts and then your Action Workflow file gets really gnarly if you simply pull credentials from ${{ secrets.* }}.

Also, if you need to rotate your AWS access tokens, you open up a whole new can of worms, so why not remove credentials all together!

Thanks for the question nodesocket, let me know if you have more questions or comments!
cnuss
·4 वर्ष पहले·discuss
Hey orf!

You are correct this GitHub action is at its core is very similar! Even though the initial instructions don't prescribe it, the biggest differentiator is that SAML.to supports a centralized permissions configuration across all repositories for a user, project or organization:

https://github.com/saml-to/assume-aws-role-action/blob/main/...

Also, this action is the tip of the iceberg of what SAML.to aims to provide (check out https://saml.to), for example:

- Store Role Assumption and Privileges as Code (the saml-to.yml config file) - A command line interface to login and assume roles - Free (or affordable) for small teams or individuals - Additional Automations, Webhooks, SCIM, etc

Let me know if you have any comments on this and thanks for the question!
cnuss
·5 वर्ष पहले·discuss
Hey brianr! thanks for the question

Let's actually use Rollbar as a use case since your HN profile says you're the co-founder, and Rollbar supports SAML !

Use case:

There's a set of developers on a project in GitHub, that also need to log into Rollbar. Rollbar would be added as a provider in the SAML.to Configuration File (hosted in GitHub). Developers that need to access Rollbar would also be listed in the configuration file with who should be allowed to Login to Rollbar.

Here's a sample of the config file: https://gist.github.com/cnuss/4966f227afdd6a134e74ad579c9c7c...

When "cnuss" or "brianr" needs to access Rollbar, they would run the command in their console

`npx saml-to login rollbar`

This command would obtain their GitHub identity, and open a browser window directly into Rollbar. "tonystark" would not be able to do this, since he's not listed.

Additionaly, in this config, AWS access is configured for role assumption, So brianr, cnuss, and tonystark can all log AWS using the command

`npx saml-to assume role/admin`

This command would open up a browser window in the AWS console with the role of "arn:aws:iam::01234567890:role/admin"!

Using two commands, developers were able to log into both AWS and Rollbar in seconds.

Also, with SAML.to Premium, listing individual users is unnecessary, and assigning them to teams and specifying the teams in the config eliminates the repetition of a list of users in the config file.

Let me know if you have any questions or comments!
cnuss
·5 वर्ष पहले·discuss
great question yodon!

generally speaking, no, there should be no security concerns checking this into a repo but some best practices would be recommended to follow: - make the repo private - protect the main branch - require PRs and # approvals and/or add CODEOWNERS - only allow individuals that need to edit with write/admin privileges - having anybody with read-only access to the repo is unnecessary since SAML.to does the reading on behalf of the users

if provisioning is needed, there would be a encrypted token for SCIM in the text of the file, but that token is encrypted by SAML.to AWS KMS, so checking an encrypted string into a file shouldn't be a huge concern for most

also, SAML.to Premium allows users to maintain their own PKI and allows administrators to encrypt and sign according to their organizations requirements!

on a final note, I'd entertain a feature request for "include" statements in the config file so CODEOWNERS could be leveraged nicely

that's all I can think of for now. I'll get these best practices into the docs and I'd entertain any and all suggestions or thoughts!
cnuss
·5 वर्ष पहले·discuss
Greetings Hackers!!

I've bridged GitHub OAuth and SAML 2.0 together, and made it easy to use with a CLI (`npx saml-to --help`). It's called SAML.to (https://saml.to).

I've built this to be a no/low-cost alternative to using Okta, OneLogin, or JumpCloud for SAML Logins.

Using SAML.to, a configuration file is placed in a GitHub repository that defines one or many Service Providers and Permissions to GitHub users, then logging in is as simple as running a command in your console:

npx saml-to login

Or for role assumption (like IAM roles):

npx saml-to assume

I'd love this community's feedback on this, please let me know what you think!

Cheers, cnuss

CLI: https://github.com/saml-to/cli Forums: https://github.com/saml-to/cli/discussions Documentation: https://docs.saml.to
cnuss
·5 वर्ष पहले·discuss
Thanks yodon, great feedback! I've aggregated a list here for easier discovery: https://docs.scaffold.ly/contributing/open-source-components
cnuss
·5 वर्ष पहले·discuss
Hey Everyone!

We've built Scaffoldly as an Open Source option to quickly start new projects in AWS, and cost effectively.

Scaffoldly Start (https://start.scaffold.ly) is the next iteration of our product, designed to quickly set up a new project on AWS using our Open Souce Tooling with Serverless APIs, GitHub Actions, Terraform, and Authentication.
cnuss
·5 वर्ष पहले·discuss
I've built a toolset and am putting the final touches on potentially exactly what you need, I'm looking for a few early adopters and some feedback

every API is serverless, typescript, openapi, has GitHub CI/CD, and runs locally and on AWS lambda

shoot me a message and I'd love to show you around: christian (at) scaffold.ly
cnuss
·5 वर्ष पहले·discuss
True, I'll put "bootstrap" in the extreme maybe area, especially since CSS frameworks are so easy to wire in.

My previous work with React found an huge need for other things, such as redux and redux-saga, and found myself wasting a lot of time wiring that up just to get some text to change in the HTML based on a remote API call, but, personally, as I'm comparatively a n00b with React, I'd really like be prescribed a foundational structure for a new project.