Open migueleliasweb opened 6 years ago
I'm torn on this, as I'd really like to make this tool as easy as possible to use, but...
I do like forcing people to build the container themselves in this case, as it's more likely that they'll see the contents of the Dockerfile prior to building. We're dealing with sensitive information in the container, and I'd hate for the Docker repo to get popped somehow, and have a bunch of unsuspecting people pull down tainted images that are siphoning off credentials to somewhere nefarious.
I realize that's also possible with the pip repository, but in that case, absence is a security risk, as it makes room for imitation. That doesn't seem to me as likely when it comes to Docker, for whatever reason. Probably because unlike pip, not just anyone can get an "official" Docker Hub repository, where as with pip, anyone can upload an "official" package.
I totally understand and kind of agree as well. Since this repo deals with credentials, it's a fair call to take extra precaution when doing something that potentially opens a door for simple "attacks". But personally I think it's all about making the right thing so easy and the wrong thing very hard to do.
Right now, anyone could create an image on Docker Store with the name gimme-aws-creds and "claim" it's the official image but we know it's not. That image could even contain malicious code! But if the real official image is broadcasted publicly here, it's less likely people will pull and run a dodgy one from someone.
Another thing that is worth mentioning is that this repo is definitely not for everyone. Most of the users that land here want to solve a problem for an enterprise or something similar. If someone got this far to integrate aws creds to okta, it's less likely that it would blindly run an image without having a thorough look at it.
I know what you're saying, but I disagree regarding the enterprise. An enterprise is just a really large group of people, each with the same risk of ignorance as anyone else.
Before we go down this rabbit hole too far, I need to make sure that our OSS program is positioned to support an official Docker repository. Standby.
I understand. In the end I guess it makes sense. Just having the actual Dockerfile already makes things much easier. I'm happy with that :wink: .
Standing by for more OOS info.
Didn't mean to leave you hanging-- Last I had heard back from the team running our OSS program, we at the time did not have a DockerHub presence, but I notice that there is now a nikeoss
user on DockerHub. I'll check back with them again and get back to you.
@Sector95 was wondering if you heard back from your OSS team. I've just come across this repo as the preferred way to get AWS cli credentials though Okta (https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta). And I'm in the middle of documenting the recommended process for all our devs. If there are plans for an official image, that great, or else we'll probably fork and upload our own private image to our internal docker hub.
Feel free too use mine at devopsinfra/docker-okta-aws-sso, with contents from devops-infra/docker-okta-aws-sso. I'm using it all the time, even for private projects:)
i would really like to see an official docker image on docker hub
Hi guys,
I wanted to know how keen you are to incorporate the recently created Dockerfile (and it's image) to Docker Store.
The benefits of doing this are the fact people won't even have to download the repo and locally build the image in order to use it.
Let me know your thoughts :wink: .