[DOC] Poor security posture in the Snapshot repository documentation

[albgus]

What do you want to do?

• [ ] Request a change to existing documentation
• [ ] Add new documentation
• [X] Report a technical problem with the documentation
• [ ] Other

Tell us about your request: The documentation for taking and restoring snapshots suggests building credentials into your docker container. This seems to me like an extremely poor security practice being encouraged by the documentation..

RUN echo $AWS_ACCESS_KEY_ID | /usr/share/opensearch/bin/opensearch-keystore add --stdin s3.client.default.access_key
RUN echo $AWS_SECRET_ACCESS_KEY | /usr/share/opensearch/bin/opensearch-keystore add --stdin s3.client.default.secret_key

I'm pretty sure this line wouldn't even work well either: RUN echo $AWS_SESSION_TOKEN | /usr/share/opensearch/bin/opensearch-keystore add --stdin s3.client.default.session_token. Since the AWS_SESSION_TOKEN is usually only used with temporary credentials that expires in a few hours. For the example to be usable the container would need to be continously be re-built with new credentials and re-deployed.

Also, for the IRSA step it says the following:

If you don’t want to configure AWS access and secret keys, modify the following opensearch.yml setting. Make sure the file is accessible by the repository-s3 plugin:

s3.client.default.identity_token_file: /usr/share/opensearch/plugins/repository-s3/token

_If copying is not an option_, you can create a symlink to the web identity token file in the ${OPENSEARCH_PATH_CONFIG} folder:

ln -s $AWS_WEB_IDENTITY_TOKEN_FILE "${OPENSEARCH_PATH_CONFIG}/aws-web-identity-token-file"

Specifically If copying is not an option suggests that it would be possible to simply copy the token file. Ignoring that there's no suggestion of how to implement this at runtime, simply copying the file at container start would be a bad idea as the token file by default expires in 24 hours. Normally the IRSA controller would take care of refreshing the token file during the containers lifetime, but if it's copied somewhere else it would not be refreshed.

[hdhalter]

@nisgoel-amazon, can you please advise on this request? Thanks!

[nisgoel-amazon]

@hdhalter This is related to which plugin. Can you point out the documentation page.

[nisgoel-amazon]

Got it, this is related to snapshot restore. https://github.com/opensearch-project/documentation-website/blob/bce6a3a6bcaf439c3576f540188f360c3f779ba9/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md?plain=1#L95

@yigithub / @neetikasinghal can you help on this one.