managing secret_access_key data

[mc0e]

If I've got different machines which use different aws.access_key_id values, then I'm going to want to configure those in the Vagrantfile for the project. I don't want the aws.secret_access_key value to be in the file that I'm going to put in version control though, and perhaps sharing with others so I want to configure that in ~/.vagrant/Vagrantfile.

Problem is that depending which project I'm working on, I'll be using different values for aws.secret_access_key. I'd like to be able to have configuration on a per user basis to look up the appropriate aws.secret_access_key value based on the aws.access_key_id.

I'm not all that thrilled with storing the aws.secret_access_key in a file in cleartext. It'd be nice if there was an option for storing that in encrypted form, which would then require entering a password to perform various operations. No doubt I could hack in a bit of ruby for this in the config file so it'd get the value from the decrypted content of a file, but then it'd ask me for that password even for operations (like vagrant ssh, or vagrant provision) that don't need to use that key. Besides which if the functionality goes into vagrant-aws then it'll save a bunch of people doing that hack independently.

[andrewcstewart]

2nd this, kinda. It would be nice to just have a field that points to a file containing the info. ie, ' aws.credentials = "~.aws/MyCredential1" '

[mc0e]

There's also a security issue here. If it's in the project Vagrantfile, then it'll get copied to /vagrant on the server. It's not good for a live, and likely public, server to contain these access credentials. It means that if the server is compromised, an attacker could get access to manipulate everything else in the AWS account.

[mitchellh]

Since the Vagrantfile is Ruby, I recommend using environmental variables or file reading for now.

However, I think having a aws.credentials_path type option would be valuable. I wonder what that sort of file would look like, however...

[mitchellh]

Yeah, okay, it looks like some EC2 tools use an AWS_CREDENTIAL_FILE parameter. It would be great to support that both as an environmental variable but as a configuration option. Here is how I see it working:

• aws.credential_file which points to a path (relative to env.root_path), in the AWS_CREDENTIAL_FILE format.
• Defaults to env["AWS_CREDENTIAL_FILE"] if available.
• Error if both credential_file and the access key parameters are set.

Happy to look at pulls implementing the above. :)

[jimstallings]

aws_config = YAML::load_file('.aws_secrets')
aws.access_key_id = aws_config.fetch("access_key_id")
aws.secret_access_key = aws_config.fetch("secret_access_key")

.aws_secrets contains
access_key_id: YOUR_ACCESS_KEY
secret_access_key: YOUR_SECRET_KEY

[mc0e]

ok, but how can I give it a path for the YAML file which is outside the vagrant directory, and which is cross platform? I think support for this needs to be built into the vagrant aws code.

[mc0e]

to clarify, Jimstallings' solution does give me a concise way to load credentials from a specified path, which is the greater part of what I'm after, but I'd also like to be able to specify something in a way that would work for a vagrant project that's shared with others. e.g. some Windows based developers I collaborate with, or users of a public project.

[andrewcstewart]

Not at my computer to test this right now, but why couldn't a file from outside Vagrant's working directory be specified?  Seems like a good solution.
—
Sent from Mailbox for iPhone

On Tue, May 28, 2013 at 7:39 PM, mc0e [email protected] wrote:

to clarify, Jimstallings' solution does give me a concise way to load credentials from a specified path, which is the greater part of what I'm after, but I'd also like to be able to specify something in a way that would work for a vagrant project that's shared with others. e.g. some Windows based developers I collaborate with, or users of a public project.

Reply to this email directly or view it on GitHub:
#15 (comment)

[mc0e]

Untested, but I may have solved my own problem here. Apparently Dir.home is platform independent.

aws_config = YAML::load_file(File.join(Dir.home, ".aws_secrets"))
aws.access_key_id = aws_config.fetch("access_key_id")
aws.secret_access_key = aws_config.fetch("secret_access_key")

A little thought is needed so different projects using this approach don't collide. eg multiple named keys in the file. Not hard to work that out though.

It would be better though to have an aws.credential_file option built in to vagrant.

[jayjanssen]

I tried using a YAML file and got it to work:

# -*- mode: ruby -*-
# vi: set ft=ruby :
require 'yaml'

Vagrant.configure("2") do |config|
  # All Vagrant configuration is done here. The most common configuration
  # options are documented and commented below. For a complete reference,
  # please see the online documentation at vagrantup.com.

  # Every Vagrant virtual environment requires a box to build off of.
  config.vm.box = "ubuntu-aws-us-east"

    config.vm.provider :aws do |aws, override|
        aws_config = YAML::load_file(File.join(Dir.home, ".aws_secrets"))
        aws.access_key_id = aws_config.fetch("access_key_id")
        aws.secret_access_key = aws_config.fetch("secret_access_key")
        aws.keypair_name = aws_config.fetch("keypair_name")
        override.ssh.username = "ubuntu"
                override.ssh.private_key_path = aws_config.fetch("keypair_path")
    end

  config.vm.provision :puppet do |puppet|
     puppet.manifests_path = "manifests"
     puppet.manifest_file  = "init.pp"
  end
end

[andrewcstewart]

Very nice. Thanks Jay!

[andrewcstewart]

jay, would you mind pasting what your yaml file looked like?

[jayjanssen]

Sure. I also am playing with the ability to dynamically set the 'Name' tag attribute. the YAML file is just "key: value" pairs.

jayj@~ [507]$ cat ~/.aws_secrets

access_key_id: MY_ACCESS_KEY
secret_access_key: MY_SECRET_ACCESS_KEY
keypair_name: jay
keypair_path: /Users/jayj/.ssh/jay.pem
instance_name_prefix: Jay

My Vagrantfile looks like this:

# -*- mode: ruby -*-
# vi: set ft=ruby :
require 'yaml'

Vagrant.configure("2") do |config|
  # All Vagrant configuration is done here. The most common configuration
  # options are documented and commented below. For a complete reference,
  # please see the online documentation at vagrantup.com.

  # Every Vagrant virtual environment requires a box to build off of.
  config.vm.box = "ubuntu-aws-us-east"

    config.vm.provider :aws do |aws, override|
        aws_config = YAML::load_file(File.join(Dir.home, ".aws_secrets"))
        aws.access_key_id = aws_config.fetch("access_key_id")
        aws.secret_access_key = aws_config.fetch("secret_access_key")
        aws.keypair_name = aws_config.fetch("keypair_name")
        name = aws_config.fetch("instance_name_prefix") + " Some descriptive name"
        aws.tags = {
            'Name' => name
        }
        override.ssh.username = "root"
        override.ssh.private_key_path = aws_config.fetch("keypair_path")
    end

  config.vm.provision :puppet do |puppet|
        puppet.manifests_path = "puppet/manifests"
        puppet.manifest_file  = "init.pp"
        puppet.module_path = "puppet/modules"
        puppet.options = "--verbose"
  end
end

[deinspanjer]

I just bumped into the issue with having a Vagrantfile that contains the actual secret_access_key and having that be rsynced up to the /vagrant folder of the running instance.

Might be nice to prevent this somehow. Is there any reason that we couldn't just exclude Vagrantfile from the sync or better yet, create a "shared" folder and only rsync the contents of that by default?

[andrewcstewart]

Vagrant might rely on other content of the synched Vagrantfile (does it?).
Seems the better solution is to separate out aws keys from the Vagrantfile
via an aws keys file outside of the vagrant root.

On Sep 26, 2013, at 5:33 PM, Daniel Einspanjer [email protected]
wrote:

I just bumped into the issue with having a Vagrantfile that contains the
actual secret_access_key and having that be rsynced up to the /vagrant
folder of the running instance.

Might be nice to prevent this somehow. Is there any reason that we couldn't
just exclude Vagrantfile from the sync or better yet, create a "shared"
folder and only rsync the contents of that by default?

—
Reply to this email directly or view it on
GitHubhttps://github.com//issues/15#issuecomment-25205856
.

[tralamazza]

vagrant-aws doesn't rely on anything synced.

I think the local folder is synced for historical reasons, I think most providers do that no?!

Should we ignore just Vagrantfile or everything in .gitignore? Btw .vagrant is ignored.

[jayjanssen]

My example puts the .aws_secrets in your home directory, which I'd guess would typically not be your Vagrant root.

[tralamazza]

We will soon have a "rsync ignored files" config param.

[jimm101]

I'm coming to this party late ... but can we do something with data bags? The ssl cookbook is a great example. This would keep things even more secure, and simplify setting up development environments for other team members. I'll submit a pull request if there's interest ...

[timurb]

For dynamically switching the AWS access keys I use the following shell wrapper:

#!/bin/sh

export AWS_ACCESS_KEY_ID=XXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXX
eval "$@"

Name it like asfoobar for example where foobar is a client name and use it like asfoobar vagrant up.

I use these keys from the Vagrantfile like the following

#.....
  config.vm.provider "aws" do |aws,override|
    #.....
    aws.access_key_id = ENV['AWS_ACCESS_KEY_ID']
    aws.secret_access_key = ENV['AWS_SECRET_ACCESS_KEY']
    #.....
  end
#.....

Hope it will help somebody.

[kenorb]

Fixed in #151?