Using MFA with Beanstalker
44 views
Skip to first unread message
Santeri Korri
Feb 2, 2014, 2:28:45 PM2/2/14
to beanstal...@googlegroups.com
Hi,
First of all, thanks for the good work to anyone who has contributed to this plugin. It has helped us immensely!
We've now run the plugin as the key part of our Beanstalk deployment workflow for some time now. Now I'd like to tighten up security a bit, and start requiring multi factor authentication when using AWS APIs.
My first idea was to create a new session using AWS cli, put the credentials to environment variables and the have Beanstalker use them in pom. However, whereas getting temporary credentials using the AWS cli works fine, I've hit two problems when trying to use these with the plugin:
- Specifying access and secret key in places other than settings.xml does not seem to work, has this been deprecated?
- There doesn't seem to be a way of submitting the session token along with the temporary keys, is this something that could in principle be added?
Any pointers would be appreciated!
Best Regards,
Santeri Korri
Aldrin Leal
Feb 2, 2014, 2:46:42 PM2/2/14
to beanstal...@googlegroups.com
I was planning to make it more modular (like, say, using AWS Instance Profiles). Do you have an idea of how to achieve this? I mean, from your operational standpoint?
A temporary approach would be to use settings.xml to reference ${env.AWS_ACCESS_KEY_ID} for instance - it should work without a hitch (in theory)
--
-- Aldrin Leal, <ald...@leal.eng.br>
-- Aldrin Leal, <ald...@leal.eng.br>
Master your EC2-fu! Get the latest ekaterminal public beta http://www.ingenieux.com.br/products/ekaterminal/
--
You received this message because you are subscribed to the Google Groups "beanstalker-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beanstalker-us...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Santeri Korri
Feb 2, 2014, 4:03:22 PM2/2/14
to beanstal...@googlegroups.com
Aldrin,
Not sure how this could be achieved with instance profiles, I haven't really worked with them, aren't those about authorizing EC2 instances to do stuff?
Yes, I tried the ${env.AWS_ACCESS_KEY_ID} in settings.xml already, but I think it for the API calls to succeed they still need the token to be supplied on top of the access and secret keys (at least that's the case for aws cli), any pointers where this should be added?
-Santeri
Aldrin Leal
Feb 2, 2014, 4:07:42 PM2/2/14
to beanstal...@googlegroups.com
On AbstractAWSMojo.
Look, if this is critical, I'm available for consulting so we could look into it together
(the beanstalker README.md contains the details)
--
-- Aldrin Leal, <ald...@leal.eng.br>
-- Aldrin Leal, <ald...@leal.eng.br>
Master your EC2-fu! Get the latest ekaterminal public beta http://www.ingenieux.com.br/products/ekaterminal/
Santeri Korri
Feb 3, 2014, 5:46:52 AM2/3/14
to beanstal...@googlegroups.com
Hi Aldrin,
Once I found the place this turned out to be pretty straightforward, so I created a pull request for it.
-Santeri
Aldrin Leal
Feb 3, 2014, 6:26:19 PM2/3/14
to beanstal...@googlegroups.com
I tried with EC2/STS and it didnt work. But perhaps its some IAM stuff, so give me more time to look at the patch
Sent from my Windows Phone
Sent from my Windows Phone
From: Santeri Korri
Sent: 03/02/2014 07:46
To: beanstal...@googlegroups.com
Subject: Re: Using MFA with Beanstalker
Aldrin Leal
Feb 3, 2014, 8:21:30 PM2/3/14
to beanstal...@googlegroups.com
Ops, STS doesn't support beanstalk. Just confirm the 1.2.1-SNAPSHOT from sonatype-snapshots is working fine and then I'll release it okay?
--
-- Aldrin Leal, <ald...@leal.eng.br>
-- Aldrin Leal, <ald...@leal.eng.br>
Master your EC2-fu! Get the latest ekaterminal public beta http://www.ingenieux.com.br/products/ekaterminal/
Santeri Korri
Feb 5, 2014, 10:45:20 AM2/5/14
to beanstal...@googlegroups.com
Aldrin,
Indeed, it seems I cut some corners in testing. It does seem to work with credentials obtained from aws cli get-session-token call. However, if I enable the requirement for MFA for API calls, then it does not work even though the temporary credentials were obtained with MFA.
While this technically works, I see no use case for it, so for me it does not make sense to go forward at this point. Do you see some sensible use case here?
-Santeri
Aldrin Leal
Feb 5, 2014, 10:56:11 AM2/5/14
to beanstal...@googlegroups.com
Not really. I believe the best safety you could add is to use an exclusive IAM Key + Adding Conditions (like time and source ip)
--
-- Aldrin Leal, <ald...@leal.eng.br>
-- Aldrin Leal, <ald...@leal.eng.br>
Master your EC2-fu! Get the latest ekaterminal public beta http://www.ingenieux.com.br/products/ekaterminal/
Aldrin Leal
Oct 29, 2014, 11:29:37 PM10/29/14
to beanstal...@googlegroups.com
Santeri,
--
-- Aldrin Leal, <ald...@leal.eng.br>
-- Aldrin Leal, <ald...@leal.eng.br>
Master your EC2-fu! Get the latest ekaterminal public beta http://www.ingenieux.com.br/products/ekaterminal/
Reply all
Reply to author
Forward
0 new messages