Uploaded image for project: 'IGB'
  1. IGB
  2. IGBF-2331

Clarify: AWS credentials referenced in protected_variables.txt

        Details

        • Type: Task
        • Status: Closed (View Workflow)
        • Priority: Major
        • Resolution: Done
        • Affects Version/s: None
        • Fix Version/s: None
        • Labels:
          None

          Description

          The "protected_variables.txt" file contains a placeholder for:

          AWS_ACCESS_KEY_ID
          AWS_SECRET_ACCESS_KEY

          Please confirm:

          Are these credentials the control node will use to create and configure S3 bucket, EC2 etc?

          Please add clarification as comment below.
          Or, are these credentials that will be used by the target EC2 App Store node to interact with the S3 bucket?

          (The notes in the google doc calls these the "admin key" and "admin secret key" so I assume these are NOT going to be used by the target EC2.)

            Attachments

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              cdias1 Chester Dias (Inactive) added a comment -

              The variables mentioned in protected_variables.txt
              AWS_ACCESS_KEY_ID
              AWS_SECRET_ACCESS_KEY

              are specifically going to be only used for creation and provisioning purposes.
              So that user will need creation admin privs on S3, EC2, modify privs on RDS...

              ##################################################################################################
              For the purpose of appstore EC2 speaking to its own S3 repo I have a simpler and secure suggestion.
              Process 1
              Ec2 can be bound to S3 via roles
              furthermore each individual Ec2 can be bound to individual S3 via group policy restrictions.

              Advantages of using Process 1
              Dont have to manage creds for each individual EC2 to access S3 and worrying about compromising or editing or deleting a key entry

              How it works
              once an Ec2 is granted a role for S3 access. S3 grants a temporary credential which keeps changing regularly as per AWS security policies. this credential can be found only on that EC2 via some command...Need to dig more to try this way out....I have done something similar in the past during my aws training.

              https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

              Approach
              one is via python in django via api calls
              other one is we can have a shell script that runs as a cron job in background on the EC2 regularly once temp creds expire that will write new cred to the properties file and then we can maybe restart the django application so it loads the new creds.

              Show
              cdias1 Chester Dias (Inactive) added a comment - The variables mentioned in protected_variables.txt AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY are specifically going to be only used for creation and provisioning purposes. So that user will need creation admin privs on S3, EC2, modify privs on RDS... ################################################################################################## For the purpose of appstore EC2 speaking to its own S3 repo I have a simpler and secure suggestion. Process 1 Ec2 can be bound to S3 via roles furthermore each individual Ec2 can be bound to individual S3 via group policy restrictions. Advantages of using Process 1 Dont have to manage creds for each individual EC2 to access S3 and worrying about compromising or editing or deleting a key entry How it works once an Ec2 is granted a role for S3 access. S3 grants a temporary credential which keeps changing regularly as per AWS security policies. this credential can be found only on that EC2 via some command...Need to dig more to try this way out....I have done something similar in the past during my aws training. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Approach one is via python in django via api calls other one is we can have a shell script that runs as a cron job in background on the EC2 regularly once temp creds expire that will write new cred to the properties file and then we can maybe restart the django application so it loads the new creds.
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment -

              The above explanation clarifies how the AWS credentials referenced in protected_variables.txt are being (or will be) used in the appstore playbooks.
              Moving this forward to "Closed".

              Show
              ann.loraine Ann Loraine added a comment - The above explanation clarifies how the AWS credentials referenced in protected_variables.txt are being (or will be) used in the appstore playbooks. Moving this forward to "Closed".
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment -

              Re-assigning this Closed ticket to the original developer.

              Show
              ann.loraine Ann Loraine added a comment - Re-assigning this Closed ticket to the original developer.

                People

                • Assignee:
                  cdias1 Chester Dias (Inactive)
                  Reporter:
                  ann.loraine Ann Loraine
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: