-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use AWS roles instead of service users #26
Conversation
We were creating AWS service users, giving them keys and then checking those keys in with git-crypt. This isn't good security practice. We should be creating roles with minimal permissions instead. These roles can then be 'assumed' by different entities - an EC2 instance running GitHub actions, a local user on a computer, etc. This also removes need to managed EC2 access credentials in a repo - dangerous, and bothersome to rotate. This needs corresponding changes in hubploy to use assumed roles before it can work.
|
I assume https://github.com/pangeo-data/terraform-deploy/blob/master/aws/your-cluster.tfvars.template#L6 |
For EC2 instances, I'm guessing we need another role that can assume the ecr and eks roles. Then EC2 can use that role, and we can run hubploy there automatically? |
@cslocum yeah I think we should remove map_users. We might need to add map_roles (https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) though - currently only the user that created the cluster can access it. |
I think aws-creds is unrelated - it is creating roles that can be used to run this terraform module itself. Equivalent to https://github.com/yuvipanda/aws-codecommit-secret#setting-up-iam-role-to-run-terraform |
Currently, only the user who created the cluster can access the cluster. We need to explicitly set role in [aws-auth](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) to let roles access the cluster. We set this up, so the hubploy role can actually talk to the kubernetes cluster
We create a role that can assume only the two roles necessary for hubploy. This role can only be attached to ec2 instances
Needs more docs! Overall the right thing to do, but needs docs on:
We should find ways to answer these questions before merging this. |
I like this! I think assuming roles has been tricky for us in the past but if we can streamline it with Terraform it should be much easier.
After reading through the commits, it seems like |
For your last comment:
What do you mean by this? How to get other users permissions to mess with the cluster? Allow other users on your AWS account to deploy clusters in this manner? Would you not just make sure they are in the IAM group you are making?
That might be a problem. There wouldn't be credentials for an IAM role, would there? How do we allow a CI machine that we don't always own access into our AWS account? If there is something we can give it, are we okay with No answers yet on my end, just hoping to drop some leading questions and generate discussion. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only thing I can think to change immediately. Otherwise, this looks great!
Thanks for the review, @salvis2! The stuff in For CI, there are two options:
This also goes well with getting rid of git-crypt, the most secure version of that includes using codecommit. |
Only needs to run describe-cluster on the one we just created
@salvis2 done! |
Gotcha. Finding the minimum permission set for
Ah I see. For 1, I can kind of see how it would work but it seems like it would have poor integration and / or always have to be running. If there's a config for this, I'd love to see it. For 2, this method is clearer to me. You could just put keys into CircleCI or GitHub Secrets manually. Makes sense. These both look like good paths forward! |
@salvis2 for 1 I have had people use https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners without too much trouble. But only in extreme cases haha. How do you feel about hitting the merge button? |
We were creating AWS service users, giving them keys
and then checking those keys in with git-crypt. This isn't
good security practice. We should be creating roles with
minimal permissions instead. These roles can then be 'assumed'
by different entities - an EC2 instance running GitHub actions,
a local user on a computer, etc. This also removes need to
managed EC2 access credentials in a repo - dangerous, and bothersome
to rotate.
This needs corresponding changes in hubploy to use assumed
roles before it can work.