Closed Bug 1485986 Opened 2 years ago Closed 2 years ago

EC2-Manager should allow credential generation based on Instance Identity Documents

Categories

(Taskcluster :: Services, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: jhford, Assigned: wcosta)

References

Details

Attachments

(2 files)

Once we have bug 1485984 resolved, we should add an endpoint to EC2-Manager which allows EC2 instances to get a set of credentials specific to its instance id.
Attached file PR
Link to PR
Hi Wander.  The node.js library is complete for doing the validations.  Do you have time to finish up PR#54 or should I pick it up?  Thanks.
Flags: needinfo?(wcosta)
(In reply to John Ford [:jhford] CET/CEST Berlin Time from comment #2)
> Hi Wander.  The node.js library is complete for doing the validations.  Do
> you have time to finish up PR#54 or should I pick it up?  Thanks.

I am currently porting docker-worker to GCP, not sure when I will finish, but I believe not after end of next week.
Flags: needinfo?(wcosta)
Attached file rsa2048-keys.zip
These are the public keys for us-[east]-[1,2] and eu-central-1
Assignee: nobody → wcosta
Status: NEW → ASSIGNED
I am not able to verify new documents, it feels like something changed on Amazon side or I am doing something wrong. Could you please double check by downloading a new pair of document/rsa2048 and verify it?
Flags: needinfo?(jhford)
(In reply to Wander Lairson Costa [:wcosta] from comment #5)
> I am not able to verify new documents, it feels like something changed on
> Amazon side or I am doing something wrong. Could you please double check by
> downloading a new pair of document/rsa2048 and verify it?

I would have to boot a new instance, specially for this.  Could you log into a Docker-Worker instance and download them?
Flags: needinfo?(jhford)
(In reply to John Ford [:jhford] CET/CEST Berlin Time from comment #6)
> (In reply to Wander Lairson Costa [:wcosta] from comment #5)
> > I am not able to verify new documents, it feels like something changed on
> > Amazon side or I am doing something wrong. Could you please double check by
> > downloading a new pair of document/rsa2048 and verify it?
> 
> I would have to boot a new instance, specially for this.  Could you log into
> a Docker-Worker instance and download them?

You can get the docs and keys here https://github.com/walac/ec2-manager/tree/secrets-endpoint/test/testdata
That are the ones I am using.

Pete: I'm not sure where this fits in to the remove-provisioner-secrets puzzle, but figured you should at least be cc-ed.

Component: AWS-Provisioner → Services
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.