The variables mentioned in protected_variables.txt
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
are specifically going to be only used for creation and provisioning purposes.
So that user will need creation admin privs on S3, EC2, modify privs on RDS...
##################################################################################################
For the purpose of appstore EC2 speaking to its own S3 repo I have a simpler and secure suggestion.
Process 1
Ec2 can be bound to S3 via roles
furthermore each individual Ec2 can be bound to individual S3 via group policy restrictions.
Advantages of using Process 1
Dont have to manage creds for each individual EC2 to access S3 and worrying about compromising or editing or deleting a key entry
How it works
once an Ec2 is granted a role for S3 access. S3 grants a temporary credential which keeps changing regularly as per AWS security policies. this credential can be found only on that EC2 via some command...Need to dig more to try this way out....I have done something similar in the past during my aws training.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
Approach
one is via python in django via api calls
other one is we can have a shell script that runs as a cron job in background on the EC2 regularly once temp creds expire that will write new cred to the properties file and then we can maybe restart the django application so it loads the new creds.
Task
Major
The variables mentioned in protected_variables.txt
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
are specifically going to be only used for creation and provisioning purposes.
So that user will need creation admin privs on S3, EC2, modify privs on RDS...
##################################################################################################
For the purpose of appstore EC2 speaking to its own S3 repo I have a simpler and secure suggestion.
Process 1
Ec2 can be bound to S3 via roles
furthermore each individual Ec2 can be bound to individual S3 via group policy restrictions.
Advantages of using Process 1
Dont have to manage creds for each individual EC2 to access S3 and worrying about compromising or editing or deleting a key entry
How it works
once an Ec2 is granted a role for S3 access. S3 grants a temporary credential which keeps changing regularly as per AWS security policies. this credential can be found only on that EC2 via some command...Need to dig more to try this way out....I have done something similar in the past during my aws training.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
Approach
one is via python in django via api calls
other one is we can have a shell script that runs as a cron job in background on the EC2 regularly once temp creds expire that will write new cred to the properties file and then we can maybe restart the django application so it loads the new creds.