search

jackl0phty / opschef-cookbook-amazon_s3cmd

Installs and configure s3cmd which can tranfer files to/from Amazon's Simple Storage Service S3.
Apache License 2.0
1 stars 3 forks source link

Are the s3 secrets being saved to node on purpose? #2

Open damienjoldersma opened 10 years ago

damienjoldersma commented 10 years ago

Greetings!

First of all, thanks for cookbook, it has been super helpful.

While working with it, I noticed that you did a terrific job of working with encrypted data bags and doing a best effort to keep secrets under lock and key, however I did also notice that my unencrypted secrets were being saved in my node. Looking into it I notice in databag_and_config recipe, you do:

# Save creds to node.
node.set['amazon_key'] = s3_key
node.set['amazon_secret'] = s3_secret

A possible workaround is to apply the whitelist-node-attrs recipe as the last item of your run list and exclude these amazon_s3cmd key/secret attributes or something like that. If I am reading this right, than the unencrypted / clear text values will be saved back to the chef server, hence effectively undoing the good work with secrets and credentials management.

Thanks again for very well written cookbook!

PS: Here is a link to that cookbook if you are interested:

https://github.com/opscode/whitelist-node-attrs

damienjoldersma commented 10 years ago

I was able to find another workaround by adding this to the end of databag_and_config.rb, but it could also be in any recipe that runs before the node is saved back to the chef server:

# Delete node s3 creds so they are not saved in clear text in chef server
node.normal_attrs.delete(:amazon_key)
node.normal_attrs.delete(:amazon_secret)
billmoritz commented 10 years ago

+1

Not sure why this is saved to the node. Defeats the purpose. Also, not sure why we want to add the credentials to profile.d for the entire server either.