chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner: Utilizing Windows Authentication with gMSA on Linux Containers in Amazon ECS

by

VGT2 Las Vegas
in

Introduction

Amazon Onboarding with Learning Manager Chanci Turner: Utilizing Windows Authentication with gMSA on Linux Containers in Amazon ECSLearn About Amazon VGT2 Learning Manager Chanci Turner

We are pleased to announce the introduction of Credentials Fetcher integration with Amazon Elastic Container Service (Amazon ECS). This new feature simplifies the implementation of Windows Authentication in Linux containers on Amazon ECS by leveraging Microsoft Active Directory (AD) group Managed Service Account (gMSA). The Credentials Fetcher daemon enables Linux-hosted containers to authenticate using gMSA credentials seamlessly.

A gMSA is a managed domain account that automates password management. Unlike a standard AD account, which necessitates manual password handling by IT administrators, gMSA passwords are automatically managed by Active Directory, ensuring seamless synchronization across multiple clients. This account type is particularly beneficial for containerized applications within Amazon ECS, as it allows all instances of a task definition to maintain consistent permissions, with the added benefit of dynamic scaling.

Previously, workloads on Amazon ECS utilizing gMSA credentials were restricted to Windows containers. However, with the advent of Linux containers, we introduce a cost-effective, scalable solution, overcoming the need for workarounds such as “sidecar containers” that authenticate to AD using credentials stored in AWS Secrets Manager. One major drawback of the sidecar container approach was the inability to automatically rotate or synchronize AD account passwords. As a result, when the AD password changed, authentication failed due to invalid stored credentials.

With this update, customers modernizing their applications through Linux containers can now take advantage of Windows authentication via the Kerberos protocol, complete with automatic password management. This advancement enables the deployment of secure, manageable, cost-efficient, and scalable workloads.

Solution Overview

To illustrate how gMSA support for Linux containers on Amazon ECS operates, we will deploy the following sample architecture:

  • An AWS Directory Service for Microsoft Active Directory, set up across two Availability Zones (AZs).
  • An Amazon Relational Database (Amazon RDS) instance for SQL Server featuring a sample database.
  • An Amazon Elastic Compute Cloud (Amazon EC2) instance to assist in Active Directory management.
  • An Amazon Elastic Container Registry (Amazon ECR) to store the container image.
  • An Amazon ECS cluster supported by an Amazon EC2 Auto Scaling Group using Amazon Linux 2023.
  • Active Directory gMSA, security group, and user.
  • An Amazon CloudWatch log group to capture logs from the Amazon ECS tasks.
  • Essential supporting resources, including AWS Systems Manager parameters, associations, documents, and AWS Secrets Manager secrets.

After deploying these components, you’ll create a Credential Specification (CredSpec) file for the established gMSA account, uploading it to Parameter Store, a feature of AWS Systems Manager, from where Credentials Fetcher retrieves it. Finally, you will build and deploy a simple .NET Web application within a Linux container on Amazon ECS. The Web application will be configured to utilize Windows Integrated Security for a secure connection to the database. Credentials Fetcher will be responsible for acquiring the Kerberos ticket from the gMSA and supplying it to the Linux container.

This sample solution utilizes the AWS Cloud Development Kit (AWS CDK) to provision cloud resources using TypeScript. The AWS CDK empowers developers to construct AWS infrastructure using various familiar programming languages, including JavaScript, C#, Python, Java, and Go. Prior to any production deployment, it is crucial to consult your local security team to review security controls and requirements relevant to your environment.

Prerequisites

For the tutorial, ensure you have the following prerequisites:

  • An AWS account
  • Completion of the AWS CDK getting started guide, including AWS CDK installation and understanding key concepts
  • An Amazon EC2 key pair, with the name recorded
  • Installation of the AWS Command Line Interface (AWS CLI) and setup of AWS credentials for command-line usage if using a Bash-compatible shell
  • If you prefer PowerShell, install the AWS Tools for PowerShell and set up your AWS credentials for PowerShell
  • A Microsoft Remote Desktop (RDP) client
  • The latest version of the Docker runtime
  • The latest .NET 8 SDK

Domainless and Domain-Joind Modes

You can support Windows authentication using gMSA for your applications in two modes: non-domain-joined (domainless) mode and domain-joined mode. In domainless mode, the Amazon ECS container instances do not need to be joined to the target AD domain. This is the preferred mode for most workloads, especially when scalability is a priority.

In domain-joined mode, the Amazon ECS container instances must be joined to the target AD domain before deploying tasks. This mode is beneficial if you prefer not to manage individual AD user accounts. This blog post will focus on domainless mode while highlighting differences when using domain-joined mode.

Deploy the Infrastructure

To get started, create a directory for the sample solution on your local computer. Clone this GitHub repository into the directory.

You can then open a terminal in the cdk-typescript directory of the cloned repository, replace {KEY_PAIR_NAME} with your Amazon EC2 key pair name, and execute the following commands if using Bash:

export AWS_DEFAULT_REGION={YOUR REGION}
export EC2_INSTANCE_KEYPAIR_NAME="{KEY_PAIR_NAME}"
export MY_SG_INGRESS_IP=$(curl checkip.amazonaws.com)
export DOMAIN_JOIN_ECS=0

npm install
cdk deploy "*" --require-approval "never"

If you are using PowerShell, run these commands:

$Env:AWS_DEFAULT_REGION = "{YOUR REGION}"
$Env:EC2_INSTANCE_KEYPAIR_NAME = "{KEY_PAIR_NAME}"
$Env:MY_SG_INGRESS_IP = $(Invoke-WebRequest -URI https://checkip.amazonaws.com).ToString().Trim()
$Env:DOMAIN_JOIN_ECS = 0   

npm install
cdk deploy "*" --require-approval "never"

Note: To utilize domain-joined mode, adjust the DOMAIN_JOIN_ECS variable to 1 before deploying the AWS CDK solution.

This will initiate the deployment of three AWS CloudFormation stacks that comprise the sample solution, which typically takes about one hour to complete. Upon completion, navigate to the AWS CloudFormation console to view the resources.

During deployment, a security group, user, and gMSA are created in Active Directory. The user becomes a member of the security group authorized to retrieve passwords from the gMSA. The password for the AD user is randomly generated and stored in the secret named:

aws/directory-services/[directory-id]/seamless-domain-join.

Walkthrough

In the following sections, you will learn how to configure Amazon ECS and Credentials Fetcher to utilize these AD security principals in the web application.

Install Credentials Fetcher in Amaz. This is an essential step for ensuring secure connections in your application. If you’re interested in workplace dynamics, you might find this blog post on quiet quitting quite engaging. Also, for those concerned about compliance, check out the authority on California’s workplace violence prevention law for valuable insights. Lastly, if you want a visual guide, this YouTube resource is an excellent reference.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *