Allow configuration of nonce for ec2 authentication #6953
Conversation
|
|
|
FWIW, you can also use iptables rules to restrict access to the EC2 instance metadata service to just root as well so that only root can access the credentials and authenticate with the IAM auth method. |
|
What Joel said -- I think having this functionality is fine, but you're still better off using iptables and IAM, which regularly rotates credentials, than EC2, which almost never rotates credentials and where you have to deal with whitelists and so on. |
command/agent/auth/aws/aws.go
Outdated
| @@ -155,6 +155,14 @@ func NewAWSAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) { | |||
| a.lastCreds = creds | |||
|
|
|||
| go a.pollForCreds(accessKey, secretKey, sessionToken, credentialPollIntervalSec) | |||
| } else { | |||
There was a problem hiding this comment.
Even though it's not relevant for IAM I think this should still go up with the other config blocks instead of in an else block here.
|
I understand your points. We started with IAM first given the documented
recommendation to use it. However, we make AMIs for our clients/tenants to
use that use vault and consul-template. They kept forgetting to associate
instance profiles with them and functionality would break. We changed our
IAM policies to require that they launch instances with an instance
profile. Then, we had to field a bunch of tickets when users couldn't
figure out why they couldn't launch an instance. If it's not too much
trouble, I'd appreciate this feature. It doesn't break functionality for
anyone else.
Thanks
…On Sat, Jun 22, 2019 at 3:48 PM Jeff Mitchell ***@***.***> wrote:
What Joel said -- I think having this functionality is fine, but you're
still better off using iptables and IAM, which regularly rotates
credentials, than EC2, which almost never rotates credentials and where you
have to deal with whitelists and so on.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#6953?email_source=notifications&email_token=AAFOCFFJX3ZOYKE6YVGKOB3P3Z6Z3A5CNFSM4H2UMID2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYKQFZY#issuecomment-504693479>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFOCFA5KFZMSRBW43IG6STP3Z6Z3ANCNFSM4H2UMIDQ>
.
|
|
@amdonov As I said, not opposed to this feature, but please address the review comment. |
|
Thanks! |
I'd like to be able to specify a nonce in the agent configuration file. Without this option, the agent cannot reauthenticate when the service/server restarts. I realize that I could allow reauthentication without the nonce, but that raises security concerns. Any user on the box on then authenticate as the server. Preventing this is my main reason for using ec2 authentication rather than IAM. By limiting access to the agent configuration file, I can limit access to root.