We built an authenticating proxy that integrates with step-kms

[andsens]

Hi there 👋

I hope this doesn't come off as spam. I just wanted to show off a tool we built that might be useful for others: https://github.com/orbit-online/step-plugin-kmsproxy

It's a local MITM proxy that uses step-kms to authenticate towards webservices using mTLS.
Since it's a standard proxy it works with all major OS'es, browser, and most CLI tools (even kubectl through the proxy-url setting in ~/.kube/config.yaml.

It's pretty fresh, so there are definitely some bugs that will need ironing out (e.g. haven't tested it on Windows & macOS yet and the install guide is Linux only for now). Most importantly, there are no tests atm.

The guide is aimed at workstations right now. It might also be useful for servers and the like, but I'll need to figure some usecases before it makes sense to mention that.

p.s.: Smallstep is awesome! Thank you for all the hard work ❤

[maraino]

Hi @andsens, thanks for letting us know, I will link to it somewhere. This is also very similar to something I started last year, but we haven't open-sourced yet. We released a binary for it for our Holiday Project https://smallstep.com/blog/2024-holiday-project/, although that's not the latest version.

Now that your plugin is open-source, perhaps I can try again to convince my team to open-source our step-proxy-plugin.

[andsens]

Oh nice! Yes, please do! We'd love to contribute to it :-)

[hslatman]

This is awesome, @andsens 🙂

[maraino]

Oh nice! Yes, please do! We'd love to contribute to it :-)

Let's see, ... one thing from your project that I would like to add is the PAC server, it wasn't in our use case, but we should add it.

[hslatman]

@andsens the kmsproxy plugin will be mentioned in a new section in the CLI readme: smallstep/cli#1447.

[andsens]

Sweet! 🥳