Uploaded image for project: 'IGB'
  1. IGB
  2. IGBF-2331

Clarify: AWS credentials referenced in protected_variables.txt

    Details

    • Type: Task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      The "protected_variables.txt" file contains a placeholder for:

      AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY

      Please confirm:

      Are these credentials the control node will use to create and configure S3 bucket, EC2 etc?

      Please add clarification as comment below.
      Or, are these credentials that will be used by the target EC2 App Store node to interact with the S3 bucket?

      (The notes in the google doc calls these the "admin key" and "admin secret key" so I assume these are NOT going to be used by the target EC2.)

        Attachments

          Activity

          Hide
          cdias1 Chester Dias (Inactive) added a comment -

          The variables mentioned in protected_variables.txt
          AWS_ACCESS_KEY_ID
          AWS_SECRET_ACCESS_KEY

          are specifically going to be only used for creation and provisioning purposes.
          So that user will need creation admin privs on S3, EC2, modify privs on RDS...

          ##################################################################################################
          For the purpose of appstore EC2 speaking to its own S3 repo I have a simpler and secure suggestion.
          Process 1
          Ec2 can be bound to S3 via roles
          furthermore each individual Ec2 can be bound to individual S3 via group policy restrictions.

          Advantages of using Process 1
          Dont have to manage creds for each individual EC2 to access S3 and worrying about compromising or editing or deleting a key entry

          How it works
          once an Ec2 is granted a role for S3 access. S3 grants a temporary credential which keeps changing regularly as per AWS security policies. this credential can be found only on that EC2 via some command...Need to dig more to try this way out....I have done something similar in the past during my aws training.

          https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

          Approach
          one is via python in django via api calls
          other one is we can have a shell script that runs as a cron job in background on the EC2 regularly once temp creds expire that will write new cred to the properties file and then we can maybe restart the django application so it loads the new creds.

          Show
          cdias1 Chester Dias (Inactive) added a comment - The variables mentioned in protected_variables.txt AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY are specifically going to be only used for creation and provisioning purposes. So that user will need creation admin privs on S3, EC2, modify privs on RDS... ################################################################################################## For the purpose of appstore EC2 speaking to its own S3 repo I have a simpler and secure suggestion. Process 1 Ec2 can be bound to S3 via roles furthermore each individual Ec2 can be bound to individual S3 via group policy restrictions. Advantages of using Process 1 Dont have to manage creds for each individual EC2 to access S3 and worrying about compromising or editing or deleting a key entry How it works once an Ec2 is granted a role for S3 access. S3 grants a temporary credential which keeps changing regularly as per AWS security policies. this credential can be found only on that EC2 via some command...Need to dig more to try this way out....I have done something similar in the past during my aws training. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Approach one is via python in django via api calls other one is we can have a shell script that runs as a cron job in background on the EC2 regularly once temp creds expire that will write new cred to the properties file and then we can maybe restart the django application so it loads the new creds.
          Hide
          ann.loraine Ann Loraine added a comment -

          The above explanation clarifies how the AWS credentials referenced in protected_variables.txt are being (or will be) used in the appstore playbooks.
          Moving this forward to "Closed".

          Show
          ann.loraine Ann Loraine added a comment - The above explanation clarifies how the AWS credentials referenced in protected_variables.txt are being (or will be) used in the appstore playbooks. Moving this forward to "Closed".
          Hide
          ann.loraine Ann Loraine added a comment -

          Re-assigning this Closed ticket to the original developer.

          Show
          ann.loraine Ann Loraine added a comment - Re-assigning this Closed ticket to the original developer.

            People

            • Assignee:
              cdias1 Chester Dias (Inactive)
              Reporter:
              ann.loraine Ann Loraine
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: