Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSH certificate authentication method for connection via Bastion #22156

Merged
merged 1 commit into from
Aug 15, 2019

Conversation

binlab
Copy link
Contributor

@binlab binlab commented Jul 21, 2019

In our company, we are using Hashicorp Vault together with a Terraform for granting temporary credentials for developers and services. For example, for reasons, when you need to run Terraform in a container as a service you will need to give SSH access (password or RSA keys) for a short time (for deploying or redeploying) and then withdraw access. In the best practices - secrets, token or keys never should leave a place where was created. Ideally, the solution, in this case, will generate RSA pair on the service and sign the public key with the Vault SSH Secrets Engine. Using SSH connection by certificate access already implemented in 0.12.x version of Terraform, but miss a certificate method for connections via Bastion. This PR adds missing functionality into Terraform by new parameter - bastion_certificate.
A short example of how we using this functionality:

resource "aws_instance" "vault" {
...
  connection {
    type        = "ssh"
    host        = self.private_ip
    port        = var.ec2_port
    user        = var.ec2_user
    agent       = false
    timeout     = "2m"
    private_key = file("~/.ssh/id_rsa")
    certificate = file("~/.ssh/id_rsa-cert.pub")

    bastion_host        = aws_instance.bastion.public_ip
    bastion_user        = var.bastion_user
    bastion_port        = var.bastion_port
    bastion_private_key = file("~/.ssh/id_rsa")
    bastion_certificate = file("~/.ssh/id_rsa-cert.pub")
  }
...
}

@dzirg44
Copy link

dzirg44 commented Jul 31, 2019

Would be nice to have this functionality ! 👍

@mildwonkey mildwonkey requested a review from a team July 31, 2019 14:37
@pselle pselle merged commit 901ec99 into hashicorp:master Aug 15, 2019
@ghost
Copy link

ghost commented Sep 15, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Sep 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants