Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

[Question] Should the repo have it's own Docker Store public official image? #84

Open migueleliasweb opened 6 years ago

migueleliasweb commented 6 years ago

Hi guys,

I wanted to know how keen you are to incorporate the recently created Dockerfile (and it's image) to Docker Store.

The benefits of doing this are the fact people won't even have to download the repo and locally build the image in order to use it.

Let me know your thoughts :wink: .

Sector95 commented 6 years ago

I'm torn on this, as I'd really like to make this tool as easy as possible to use, but...

I do like forcing people to build the container themselves in this case, as it's more likely that they'll see the contents of the Dockerfile prior to building. We're dealing with sensitive information in the container, and I'd hate for the Docker repo to get popped somehow, and have a bunch of unsuspecting people pull down tainted images that are siphoning off credentials to somewhere nefarious.

I realize that's also possible with the pip repository, but in that case, absence is a security risk, as it makes room for imitation. That doesn't seem to me as likely when it comes to Docker, for whatever reason. Probably because unlike pip, not just anyone can get an "official" Docker Hub repository, where as with pip, anyone can upload an "official" package.

migueleliasweb commented 6 years ago

I totally understand and kind of agree as well. Since this repo deals with credentials, it's a fair call to take extra precaution when doing something that potentially opens a door for simple "attacks". But personally I think it's all about making the right thing so easy and the wrong thing very hard to do.

Right now, anyone could create an image on Docker Store with the name gimme-aws-creds and "claim" it's the official image but we know it's not. That image could even contain malicious code! But if the real official image is broadcasted publicly here, it's less likely people will pull and run a dodgy one from someone.

migueleliasweb commented 6 years ago

Another thing that is worth mentioning is that this repo is definitely not for everyone. Most of the users that land here want to solve a problem for an enterprise or something similar. If someone got this far to integrate aws creds to okta, it's less likely that it would blindly run an image without having a thorough look at it.

Sector95 commented 6 years ago

I know what you're saying, but I disagree regarding the enterprise. An enterprise is just a really large group of people, each with the same risk of ignorance as anyone else.

Before we go down this rabbit hole too far, I need to make sure that our OSS program is positioned to support an official Docker repository. Standby.

migueleliasweb commented 6 years ago

I understand. In the end I guess it makes sense. Just having the actual Dockerfile already makes things much easier. I'm happy with that :wink: .

Standing by for more OOS info.

Sector95 commented 5 years ago

Didn't mean to leave you hanging-- Last I had heard back from the team running our OSS program, we at the time did not have a DockerHub presence, but I notice that there is now a nikeoss user on DockerHub. I'll check back with them again and get back to you.

rmelick-vida commented 5 years ago

@Sector95 was wondering if you heard back from your OSS team. I've just come across this repo as the preferred way to get AWS cli credentials though Okta (https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta). And I'm in the middle of documenting the recommended process for all our devs. If there are plans for an official image, that great, or else we'll probably fork and upload our own private image to our internal docker hub.

ChristophShyper commented 4 years ago

Feel free too use mine at devopsinfra/docker-okta-aws-sso, with contents from devops-infra/docker-okta-aws-sso. I'm using it all the time, even for private projects:)

electriquo commented 4 years ago

i would really like to see an official docker image on docker hub