2 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Both are good options. S3 has been widely adopted for passing long credentials (e.g. keys) to CloudFormation stacks, however there is another option now; KMS. Benefits of this approach include an audit trail of decryptions, automated rotation of password encryption and not having to use an entire S3 bucket.
The following is an example of how KMS encrypted content can be referenced from a Mapping and an IAM role used by the instance in question to decrypt the key:
"Mappings": {
"KMSSecrets": {
"GithubSSHKey": {
"CMKRegion": "us-east-1",
"CipherTextBlob": "CiAKP2NjuykOmiYWxqmifMaTak0q.........",
"IAMRoleName": "tmaddox-githubconsumer"
}
}
},
"Resources":
"IAMInstanceProfileWWW": {
"Properties": {
"Path": "/",
"Roles": [{"Fn::FindInMap": [ "KMSSecrets", "GithubSSHKey", "IAMRoleName"]}]
},
"Type": "AWS::IAM::InstanceProfile"
},
"WWWAdminServer": {
"Metadata": {
"AWS::CloudFormation::Init": {"config": {"packages": {"yum": {
"git": []
}}}}
},
"Properties": {
"IamInstanceProfile": {"Ref": "IAMInstanceProfileWWW"},
...
"UserData": {"Fn::Base64": {"Fn::Join": [ "", [
"#!/bin/bash\n",
"yum update -y\n",
"echo -e \"\n### Running cfn-init\"\n",
"/opt/aws/bin/cfn-init",
" -s ",
{"Ref": "AWS::StackName"},
" -r WWWAdminServer ",
" --region ",
{"Ref": "AWS::Region"},
"\n",
"",
"echo -e \"\n### Saving Github's SSH Host Key\"\n",
"GITHUB_HOST_KEY='github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='\n",
"if [ ! -f /root/.ssh/known_hosts ] || grep -v $GITHUB_HOST_KEY /root/.ssh/known_hosts; then\n",
" echo $GITHUB_HOST_KEY >> /root/.ssh/known_hosts\n",
"fi\n",
"",
"echo -e \"\n### Fetching code\"\n",
"echo '", {"Fn::FindInMap": [ "KMSSecrets", "GithubSSHKey", "CipherTextBlob" ]}, "'",
" | base64 -d > /root/.ssh/github.pem.encrypted\n",
"aws kms decrypt",
" --output text",
" --query Plaintext",
" --region ", {"Fn::FindInMap": ["KMSSecrets", "GithubSSHKey", "CMKRegion" ]},
" --ciphertext-blob fileb:///root/.ssh/github.pem.encrypted",
" | base64 -d > /root/.ssh/git.pem\n",
"",
"rm -f /root/.ssh/github.pem.encrypted\n",
"chmod 600 /root/.ssh/git.pem\n",
"rm -rf /var/www/html\n",
"eval `ssh-agent`\n",
"ssh-add /root/.ssh/git.pem\n",
"git clone https://github.com/magento/magento2.git /var/www/html\n",
"rm -f /root/.ssh/git.pem\n",
""
]
]}}
},
"Type": "AWS::EC2::Instance"
},
répondu il y a 9 ans
0
I would store the Ad Credentials in a AWS Secret and the use powershell in user data to retrieve the secret value while joining the domain
https://aws.amazon.com/de/secrets-manager/
https://docs.aws.amazon.com/powershell/latest/reference/items/Get-SECSecretValue.html
répondu il y a 10 mois
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 3 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 4 ans
- AWS OFFICIELA mis à jour il y a 3 ans