[Cialug] Access credentials for new cloud instances
Thomas Kula
kula at tproa.net
Mon Jan 23 16:23:53 CST 2012
On Mon, Jan 23, 2012 at 01:06:16PM -0800, Zachary Kotlarek wrote:
>
> On Jan 23, 2012, at 8:04 AM, Matthew Nuzum wrote:
>
> > In an environment where you're using dynamic cloud instances (i.e. you spin them up and down as demand grows and ebbs) there is a need for your new instance to talk to your various infrastructure.
>
>
> Doesn't your cloud host provide a way for you to pass data into the instance as part of the launch request? If there's any such comm channel you could use it either to pass a key to the server directly, or to pass a cookie used to authenticate locally-generated credentials.
>
This is the method I've been looking at as I've been considering
moving some things to AWS.
> Without that kind of comm channel, or some machine auth system provided by the cloud host, you'll need a static key. But that can be less ominous than it sounds -- you can pre-install a user and public SSH key on the instance image, so that your central server can log into it and generate an instance-specific key. Once you have that key exchange done the instance can drive its own setup as before, but logging into the instance to generate the key avoids storing any secrets in your instance image (shared or otherwise).
>
Ah, but the problem here is how do you know that the thing
you are now sshing into and are generating magic bits is
actually the thing you mean to be logging into and generating
magic bits? I.e. this isn't someone between you and your cloud
provider who's gotten your image and is making traffic for that
ip head over to this rogue image?
Of course, you have to decide if you care about this likely of
an event.
--
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/
More information about the Cialug
mailing list