[Cialug] Access credentials for new cloud instances
Christopher Rhodes
arreyder at apache.org
Sat Jan 28 09:08:24 CST 2012
> In an environment where you're using dynamic cloud instances (i.e. you
> spin them up and down as demand grows and ebbs) there is a need for your
> new instance to talk to your various infrastructure.
>
> For example, you might need to script the installation of your code
> downloaded from a central server. There are two ways to do such that come
> first to mind, use hard-coded user credentials (i.e. user/password) or use
> a hard-coded private/public key. Both of these have a problem, in that you
> have to securely communicate this material to the new guest. A further
> disadvantage is that you can't revoke only one instance's credentials.
>
> Another option that I have thought of would be to generate credentials on
> the guest and then some how authorize them for the new server. This also
> has problems: namely that you need a secure channel to communicate your new
> credentials with the server and possibly an automatic way to enable them
> and authorize the client.
>
> I was curious if anyone else here has thought about this problem and what
> they think is a good solution. Again, the goal is to have as automated of a
> process as possible. It would be awesome for the infrastructure to respond
> to demand magically in the night without sysadmin intervention.
>
>
I do this a few ways. The way I like the best is generating a signed
certificate for the new node at bootstrap time (private ca) and pushing it
to the machine. It then uses that cert for auth to anything it needs to
access. I also distribute ssh keys and a sshd_config at bootstrap time as
well as set up iptables and ipsec (using the certs we deployed for auth and
encryption on the ipsec). Mostly just another layer here and I skip the
Ipsec for stuff like Mysql and httpd connections that will happily use the
cert for auth and encryption. The packages deployed to these servers for my
applications also come from httpd servers instance that uses the certs
for authentication. Just a few examples, this works with many things, and
for the few it does not, there's the IPSEC or stunnel. :)
When the node goes away I revoke the cert.
crr
--------------------------------------------
arreyder at apache.org
christopher.rhodes at rackspace.com
--------------------------------------------
More information about the Cialug
mailing list