weixin_39737240
weixin_39737240
2020-12-09 12:36

Cleartext Secrets in Launch Configuration

While a cluster created by this quickstart is active, we're able to see redhat user information in cleartext within EC2 > Launch Configurations > User Data rather than this information being encoded in Base64 as we believe was intended. Screenshots attached. cae9c396 8b72b29f

该提问来源于开源项目:aws-quickstart/quickstart-redhat-openshift

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

10条回答

  • weixin_39594103 weixin_39594103 5月前

    As base64 is trivially decoded, using a SSM ParameterStore SecureString might be the way to go here.

    点赞 评论 复制链接分享
  • weixin_39608394 weixin_39608394 5月前

    Actually internally, we do use ssm to store these params. Just we get them to feed CF. Would it make sense to PR to make the QS to get them from ssm?

    点赞 评论 复制链接分享
  • weixin_39937312 weixin_39937312 5月前

    You could use an activation key instead of username and password.

    subscription-manager register --org orgname --activationkey AK

    点赞 评论 复制链接分享
  • weixin_39594103 weixin_39594103 5月前

    I think a switch to ssm is a good fit (now that secure string is supported). I'm working on the update to 3.11 and will try to get this change included.

    点赞 评论 复制链接分享
  • weixin_39594103 weixin_39594103 5月前

    let me know if you're already on it, and I'll focus my efforts on other improvements 😄

    点赞 评论 复制链接分享
  • weixin_39608394 weixin_39608394 5月前

    do you have a link to this activation Key? we already have the update to 3.11, I'll try a PR today

    点赞 评论 复制链接分享
  • weixin_39937312 weixin_39937312 5月前

    The activation keys are created by the user on the web portal for subscription manager. A user logs in and creates an activation key. They can then use that key to register with the satellite server/subscription manager without having to use their username/password. If using Red Hat account the link to create one is here: https://access.redhat.com/management/activation_keys

    In fact, the page will also tell the user the organization number that the user is in.

    点赞 评论 复制链接分享
  • weixin_39594103 weixin_39594103 5月前

    wouldn't leaking the activation key to logs/uesrdata be undesirable as well ?

    点赞 评论 复制链接分享
  • weixin_39747568 weixin_39747568 5月前

    It is a band-aid yes. Whoever can get the activation key will be able to install and register RH server(s) unconditionally. At least the particular user credentials will be safe. But if SSM can be used why not, after all this is what it is meant for right?

    点赞 评论 复制链接分享
  • weixin_39594103 weixin_39594103 5月前

    Opted for feeding the existing parameters into Secrets Manager, then the instances fetch values at runtime as needed. Once the ci completes and commit is merged to master branch, this issue will auto-close.

    点赞 评论 复制链接分享

相关推荐