These instructions aim to simplify those already laid out here.
The following assumes your AWS CLI has been pre-authenticated with an AWS account.
stack_id=$( \
aws cloudformation create-stack \
--stack-name ubuntu-docker-firefly \
--template-url https://ven-eco.s3.amazonaws.com/cfn/utils/cfn-jumpbox-ubuntu.yaml \
--parameters \
ParameterKey=VPC,ParameterValue= \
ParameterKey=PublicSubnet,ParameterValue= \
| jq .StackId --raw-output \
)
aws cloudformation wait stack-create-complete --stack-name ${stack_id}
instance_id=$( \
aws cloudformation describe-stacks \
--stack-name ${stack_id} \
--query 'Stacks[0].Outputs[?OutputKey==`InstanceId`].OutputValue' \
--output text \
)
aws ec2-instance-connect ssh --os-user ubuntu --instance-id ${instance_id}
At the ubuntu@ip-N-N-N-N:~$ prompt, install jwt-this and grpcurl.
curl -sLo jwt-this.zip https://github.com/tr1ck3r/jwt-this/releases/download/v1.0.1/jwt-this_linux.zip
sudo unzip -d /usr/local/bin -o jwt-this.zip
curl -sLo grpcurl.tgz https://github.com/fullstorydev/grpcurl/releases/download/v1.8.7/grpcurl_1.8.7_linux_x86_64.tar.gz
sudo tar -xvz --no-same-owner -C /usr/local/bin -f grpcurl.tgz grpcurl
Note this runs in the background, but you will need to scrape a few values from its initial output.
jwt-this --config-name "Demo Config" --policy-names "Demo Policy" &
Locate the values of "Token" and "JWKS URL" in the jwt-this initial output, and export it as follows:
export TOKEN=<put Token here>
export PRIVATE_IP=<extract IP address from JWKS_URL>
export JWKS_URL=http://${PRIVATE_IP}:8000/.well-known/jwks.json
curl ${JWKS_URL}
NOTE using envsubst to tailor the config file.
cat | envsubst > config.yaml << EOF
bootstrap:
selfSigned:
csr:
commonName: My Firefly
privateKey:
algorithm: ECDSA
size: 256
duration: 720h
trustRootDirectory: /etc/firefly/trust
signer:
inMemory: true
server:
grpc:
port: 8001
tls:
ipAddress: ${PRIVATE_IP}
graphql:
port: 8002
playground: true
tls:
ipAddress: ${PRIVATE_IP}
rest:
port: 8003
tls:
ipAddress: ${PRIVATE_IP}
authentication:
jwt:
jwks:
urls:
- ${JWKS_URL}
authorization:
configuration: Demo Config
policies:
- name: Demo Policy
keyUsages:
- digitalSignature
- keyEncipherment
extendedKeyUsages:
- SERVER_AUTH
keyAlgorithm:
allowedValues:
- EC_P256
- RSA_2048
defaultValue: EC_P256
validityPeriod: P7D
EOF
mkdir -p trust && chmod a+rwx trust
docker run -e ACCEPT_TERMS=Y -p 8001:8001 -p 8002:8002 -p 8003:8003 --cap-add=IPC_LOCK \
-v ${PWD}/config.yaml:/etc/firefly/config.yaml:ro \
-v ${PWD}/trust:/etc/firefly/trust:rw \
registry.venafi.cloud/public/venafi-images/firefly:latest \
run -c /etc/firefly/config.yaml &
sudo cat trust/firefly-*.pem | openssl x509 -text
grpcurl -insecure \
-rpc-header "authorization: Bearer ${TOKEN}" \
-d "{ \"request\":{ \"subject\":{ \"common_name\":\"my.demo.example\" }, \"alt_names\":{ \"dns_names\":[ \"my.demo.example\" ] }, \"key_type\":\"EC_P256\", \"policy_name\":\"Demo Policy\" } }" \
localhost:8001 certificates.service.v1alpha1.CertificateRequestService.Create
curl -s --insecure \
-H "authorization: Bearer ${TOKEN}" \
-H "content-type: application/json" \
-d "{ \"query\": \"mutation {certificateRequest(input: { subject:{ commonName:\\\"my.demo.example\\\" }, altNames:{ dnsNames:[ \\\"my.demo.example\\\" ] }, keyType:EC_P256, policyName:\\\"Demo Policy\\\" }) { certificateChain privateKey }}\" }" \
https://localhost:8002/query
curl -s --insecure \
-H "authorization: Bearer ${TOKEN}" \
-H "content-type: application/json" \
-d "{ \"subject\":{ \"commonName\":\"my.demo.example\" }, \"altNames\":{ \"dnsNames\":[ \"my.demo.example\" ] }, \"keytype\":\"EC_P256\", \"policyName\":\"Demo Policy\" }" \
https://localhost:8003/v1/certificaterequest