EC2-Manager should allow credential generation based on Instance Identity Documents

ASSIGNED
Assigned to

Status

enhancement
ASSIGNED
9 months ago
3 months ago

People

(Reporter: jhford, Assigned: wcosta)

Tracking

(Blocks 1 bug)

Details

Attachments

(2 attachments)

Once we have bug 1485984 resolved, we should add an endpoint to EC2-Manager which allows EC2 instances to get a set of credentials specific to its instance id.
Posted file PR
Link to PR
Hi Wander.  The node.js library is complete for doing the validations.  Do you have time to finish up PR#54 or should I pick it up?  Thanks.
Flags: needinfo?(wcosta)
(Assignee)

Comment 3

9 months ago
(In reply to John Ford [:jhford] CET/CEST Berlin Time from comment #2)
> Hi Wander.  The node.js library is complete for doing the validations.  Do
> you have time to finish up PR#54 or should I pick it up?  Thanks.

I am currently porting docker-worker to GCP, not sure when I will finish, but I believe not after end of next week.
Flags: needinfo?(wcosta)
Posted file rsa2048-keys.zip
These are the public keys for us-[east]-[1,2] and eu-central-1
(Assignee)

Updated

6 months ago
Assignee: nobody → wcosta
Status: NEW → ASSIGNED
(Assignee)

Comment 5

6 months ago
I am not able to verify new documents, it feels like something changed on Amazon side or I am doing something wrong. Could you please double check by downloading a new pair of document/rsa2048 and verify it?
Flags: needinfo?(jhford)
(In reply to Wander Lairson Costa [:wcosta] from comment #5)
> I am not able to verify new documents, it feels like something changed on
> Amazon side or I am doing something wrong. Could you please double check by
> downloading a new pair of document/rsa2048 and verify it?

I would have to boot a new instance, specially for this.  Could you log into a Docker-Worker instance and download them?
Flags: needinfo?(jhford)
(Assignee)

Comment 7

6 months ago
(In reply to John Ford [:jhford] CET/CEST Berlin Time from comment #6)
> (In reply to Wander Lairson Costa [:wcosta] from comment #5)
> > I am not able to verify new documents, it feels like something changed on
> > Amazon side or I am doing something wrong. Could you please double check by
> > downloading a new pair of document/rsa2048 and verify it?
> 
> I would have to boot a new instance, specially for this.  Could you log into
> a Docker-Worker instance and download them?

You can get the docs and keys here https://github.com/walac/ec2-manager/tree/secrets-endpoint/test/testdata
That are the ones I am using.

Pete: I'm not sure where this fits in to the remove-provisioner-secrets puzzle, but figured you should at least be cc-ed.

Component: AWS-Provisioner → Services
Product: Taskcluster → Taskcluster
You need to log in before you can comment on or make changes to this bug.