Is there any way to use IAM as a authentication "method" for PAM?

Question

Specifically, running a chain of postfix, dovecot and nginx to provide a "nice" mail service to (not so many) users. All services share Pluggable authentication module (PAM) as a possible authentication method. Currently, the system's "passwd" database is being used to auth again via PAM.

AWS Identity and Access Management (IAM) is a hard requirement. Therefore, any other service (like duosecurity) is not an option. Before I start to code a PAM module, I'm asking for your experience - how would you do it? Thanks!

Answer 1

This might not be what you are looking for, but certainly qualifies as a way to use IAM as a authentication “method” for PAM:

Denis Mikhalkin's (denismo) aws-iam-ldap-bridge periodically populates the LDAP directory location with the users, groups and roles from AWS IAM, which will in turn allow to use libpam-ldap or libpam-ldapd and thereby implicitly authentication of the Linux users against AWS IAM using their AWS IAM Secret Keys as passwords.

Please note the following rather significant caveats:

1. At the moment, the plugin requires a custom version of ApacheDS so manual configuration is unlikely - see Configuring an existing ApacheDS LDAP server
2. The default configuration is INSECURE however you are free to alter it to your requirements - see Security notes

Personal Assessment

While a native IAM PAM integration would be great (and also enable advanced use cases like AWS Multi-Factor Authentication (MFA)), I like the pragmatic approach to just facilitate the widely used LDAP integration instead - still I would definitely prefer a solution that ideally works with any compliant LDAP server, or at least with a stock ApacheDS distribution, in order to ease installation, maintainability and security assessments.