Terraform Upload Failed: Lease Login as the User Ubuntu Rather Than the User Root.
Traditionally, developers looking to safely provision infrastructure using Terraform are given their own set of long-lived, scoped AWS credentials. While this enables the developer'south liberty, using long-lived credentials tin exist unsafe and difficult to secure.
-
Operators need to manage a large number of static, long-lived AWS IAM credentials with varying scope.
-
Long-lived credentials on a programmer's local machine creates a large attack surface area. If a malicious actor gains access to the credentials, they could used them to damage resources.
You tin can address both concerns by storing your long-lived AWS credentials in HashiCorp'southward Vault's AWS Secrets Engine, then leverage Terraform's Vault provider to generate appropriately scoped & short-lived AWS credentials to be used by Terraform to provision resources in AWS.
As a result, operators (Vault Admin) are able to avoid managing static, long-lived secrets with varying telescopic and developers (Terraform Operator) are able to provision resources without having direct access to the secrets.
In this tutorial, you presume the role of both the Vault Admin and the Terraform Operator.
-
First, as a Vault Admin, you will configure AWS Secrets Engine in Vault.
-
Then, as a Terraform Operator, yous will connect to the Vault case to call back dynamic, short-lived AWS credentials generated by the AWS Secrets Engine to provision an Ubuntu EC2 case.
-
Finally, as a Vault Admin, you will remove the Terraform Operator's ability to manipulate EC2 instances by modifying the policy for the corresponding Vault part.
Throughout this journey, you lot'll learn virtually the benefits and considerations this approach has to offer.
Warning! If you're not using an account that qualifies under the AWS costless tier, you may be charged to run these examples. The most you should be charged should merely be a few dollars, but we're not responsible for any charges that may incur.
»Prerequisites
In society to follow this tutorial, you should be familiar with the usual Terraform programme/utilise workflow and Vault. If you're new to Terraform, refer first to the Terraform Getting Started tutorial. If you lot're new to Vault, refer first to the Vault Getting Started tutorial.
In addition, y'all volition need the following:
-
Terraform installed locally
-
Vault installed locally
-
an AWS account and AWS Access Credentials
If y'all don't have AWS Access Credentials, create your AWS Admission Key ID and Underground Access Key by navigating to your service credentials in the IAM service on AWS. Click "Create access key" here to view your
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. Y'all volition need these values later.
»Start Vault server
Start a Vault server in evolution way with education as the root token. Leave this process running in your final window.
$ vault server -dev -dev-root-token-id= "instruction" ==> Vault server configuration: Api Address: http://127.0.0.i:8200 Cgo: disabled Cluster Address: https://127.0.0.1:8201 Get Version: go1.14.four Listener one: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: info Mlock: supported: simulated, enabled: false Recovery Mode: simulated Storage: inmem Version: Vault v1.4.3 Version Sha: 491533b63ec9c1343eac3a24d8a7558185a0acb7+CHANGES
Your Vault server should now exist up. Navigate to localhost:8200 and login into the instance using your root token: education.
»Clone repository
In your concluding, clone the Inject Secrets repository and navigate into the directory. It contains the example configurations used in this tutorial.
$ git clone https://github.com/hashicorp/learn-terraform-inject-secrets-aws-vault && cd learn-terraform-inject-secrets-aws-vault This directory should comprise two Terraform workspaces — an vault-admin-workspace and a operator-workspace.
$ tree . ├── README.md ├── operator-workspace │ └── primary.tf │ └── versions.tf └── vault-admin-workspace └── main.tf │ └── versions.tf
»Configure AWS Secrets Engine in Vault
In another terminal window (leave the Vault instance running), navigate to the Vault Admin directory.
$ cd vault-admin-workspace In the principal.tf file, you will discover 2 resources:
-
the
vault_aws_secret_backend.awsresource configures AWS Secrets Engine to generate a dynamic token that lasts for 2 minutes. -
the
vault_aws_secret_backend_role.adminresource configures a office for the AWS Secrets Engine nameddynamic-aws-creds-vault-admin-functionwith an IAM policy that allows itiam:*andec2:*permissions.
This function will be used by the Terraform Operator workspace to dynamically generate AWS credentials scoped to this IAM policy.
Before applying this configuration, set the required Terraform variable substituting <AWS_ACCESS_KEY_ID> and <AWS_SECRET_ACCESS_KEY> with your AWS Credentials. Notice that we're likewise setting the required Vault Provider arguments as surroundings variables: VAULT_ADDR & VAULT_TOKEN.
$ export TF_VAR_aws_access_key = <AWS_ACCESS_KEY_ID> $ export TF_VAR_aws_secret_key = <AWS_SECRET_ACCESS_KEY> $ consign VAULT_ADDR =http://127.0.0.ane:8200 $ export VAULT_TOKEN =education
Initialize the Vault Admin workspace.
In your initialized directory, run terraform apply, review the planned actions, and confirm the run with a yep
$ terraform employ # # ... Apply complete! Resources: ii added, 0 changed, 0 destroyed. The state of your infrastructure has been saved to the path beneath. This state is required to modify and destroy your infrastructure, so keep information technology safe. To audit the complete state utilize the `terraform evidence` command. State path: terraform.tfstate Outputs: backend = "dynamic-aws-creds-vault-admin-path" office = "dynamic-aws-creds-vault-admin-role"
Find that in that location are two output variables named backend and role. These output variables will be used by the Terraform Operator workspace in a later on step.
If you lot get to the final where your Vault server is running, you should see Vault output something like to the below. This means Terraform was successfully able to mount the AWS Secrets Engine at the specified path. The function has also been configured although it's not output in the logs.
[INFO] core: successful mount: namespace= path=dynamic-aws-creds-vault-admin-path/ type=aws
»Provision compute instance
At present that yous have successfully configured Vault'southward AWS Secrets Engine, you can call up dynamic short lived AWS token to provision an EC2 case.
Navigate to the Terraform Operator workspace.
$ cd ../operator-workspace In the main.tf file, you should find the following data and resource blocks:
-
the
terraform_remote_state.admindata block retrieves the Terraform state file generated from your Vault Admin workspace -
the
vault_aws_access_credentials.credsdata cake retrieves the dynamic, brusk-lived AWS credentials from your Vault instance. Notice that this uses the Vault Admin workspace's output variables:backendandrole -
the
awsprovider is initialized with the brusque-lived credentials retrieved byvault_aws_access_credentials.creds. The provider is configured to theus-east-1region, as defined past theregionvariable -
the
aws_ami.ubuntudata block retrieves the most recent Ubuntu prototype -
the
aws_instance.primaryresource block creates an t2.micro EC2 instance
Tip: We recommend using provider-specific data sources when user-friendly. terraform_remote_state is more than flexible, merely requires admission to the whole Terraform state.
Initialize the Terraform Operator workspace.
Navigate to the IAM Users page in AWS Panel. Search for the username prefix vault-token-terraform-dynamic-aws-creds-vault-admin. Nothing should show upward on your initial search. All the same, a user with this prefix should announced on terraform plan or terraform employ.
Apply the Terraform configuration, remember to confirm the run with a yes. Terraform volition provision the EC2 example using the dynamic credentials generated from Vault.
Refresh the IAM Users and search for the vault-token-terraform-dynamic-aws-creds-vault-admin prefix. Yous should see a IAM user.
This IAM user was generated past Vault with the appropriate IAM policy configured by the Vault Admin workspace. Because the default_lease_ttl_seconds is fix to 120 seconds, Vault will revoke those IAM credentials and they will be removed from the AWS IAM panel afterward 120 seconds.
Tip: The token is generated from the moment the configuration retrieves the temporary AWS credentials (on terraform program or terraform apply). If the apply run is confirmed afterward the 120 seconds, the run will fail because the credentials used to initialize the Terraform AWS provider has expired. For these instances or large multi-resource configurations, you may need to adjust the default_lease_ttl_seconds.
Navigate to the EC2 folio and search for dynamic-aws-creds-operator. Y'all should run across an instance provisioned by the Terraform Operator workspace using the short-lived AWS credentials.
Every Terraform run with this configuration volition utilise its own unique set of AWS IAM credentials that are scoped to whatever the Vault Admin has defined.
The Terraform Operator doesn't have to manage long-lived AWS credentials locally. The Vault Admin only has to manage the Vault role rather than numerous, multi-scoped, long-lived AWS credentials.
After 120 seconds, you should see the following in the final running Vault.
2020-07-13T16:07:55.755-0700 [INFO] expiration: revoked charter: lease_id=dynamic-aws-creds-vault-admin-path/creds/dynamic-aws-creds-vault-admin-part/z1PKR7Y623fk0ZQWW1kwaVVY
This shows that Vault has destroyed the short-lived AWS credentials generated for the apply run.
»Destroy EC2 instance
Destroy the EC2 case, remember to confirm the run with a yes.
This run should have generated and used another gear up of IAM credentials. Verify that your EC2 case has been destroyed by viewing the EC2 page of your AWS Console.
»Restrict Vault role'southward permissions
If the Vault Admin wanted to remove the Terraform Operator's EC2 permissions, they would merely need to update the Vault role'south policy.
Navigate to the Vault Admin workspace.
$ cd ../vault-admin-workspace Remove "ec2:*" from the vault_aws_secret_backend_role.admin resource in your main.tf file.
$ sed -i '' -due east 's/, \"ec2:\*\"//yard' main.tf resource "vault_aws_secret_backend_role" "admin" { backend = vault_aws_secret_backend.aws.path name = "${var.name}-role" credential_type = "iam_user" policy_document = <<EOF { "Version": "2012-10-17", "Argument": [ { "Result": "Permit", "Activeness": [ - "iam:*", "ec2:*" + "iam:*" ], "Resources": "*" } ] } EOF } This change restricts the Terraform Operator's ability to provision any AWS EC2 instance.
Apply the Terraform configuration, remember to confirm the run with a yes.
»Verify restricted Terraform Operator permissions
Navigate to the Terraform Operator workspace.
$ cd ../operator-workspace Run terraform plan. This plan should fail because the Terraform Operator no longer has Crud permissions on EC2 instances due to changes to the dynamic-aws-creds-vault-admin role.
$ terraform programme Error: UnauthorizedOperation: You are not authorized to perform this functioning. status code: 403, request id: 8bb1d1f8-5667-456a-9fee-8387e0e2ceb0
»Benefits and considerations
This approach to hush-hush injection:
-
alleviates the Vault Admin's responsibility in managing numerous, multi-scoped, long-lived AWS credentials,
-
reduces the risk from a compromised AWS credential in a Terraform run (if a malicious user gains access to an AWS credential used in a Terraform run, that credential is just value for the length of the token'south
TTL), -
allows for management of a office'southward permissions through a Vault role rather than the distribution/management of static AWS credentials,
-
enables development to provision resources without managing local, static AWS credentials
Nevertheless, this arroyo may run into issues when applied to big multi-resource configurations. The generated dynamic AWS Credentials are only valid for the length of the token's TTL. As a consequence, if:
-
the apply process exceeds than the
TTLand the configuration needs to provision another resource or -
the use confirmation time exceeds the
TTL
the utilise process will fail because the short-lived AWS Credentials have expired.
You could increase the TTL to conform to your situation; however, this as well increases how long the temporary AWS credentials are valid, increasing the malicious actor's attack surface.
»Summary
Congratulations! You accept successfully:
- configured Vault'southward AWS Secret Engine through Terraform,
- used dynamic curt-lived AWS credentials to provision infrastructure, and
- restricted the AWS credential's permissions by adjusting the corresponding Vault function
Remember to clean up environment by destroying all resources in both Vault Admin and Terraform Operator workspaces.
$ terraform destroy --motorcar-approve && cd ../vault-admin-workspace && terraform destroy --car-corroborate Remember to end your local Vault case used in this tutorial past hitting Ctrl + C in the terminal window running Vault.
Now that you have inject secrets into Terraform using the Vault provider, you may like to:
-
Watch a video exploring Best Practices for using Terraform with Vault.
-
Learn how to codify management of Vault OSS and Vault Enterprise.
-
Learn more about the various Vault hole-and-corner engines
-
You can take your security to the next level by leveraging Terraform Enterprise's Secure Storage of Variables to safely store sensitive variables like the Vault token used for authentication.
-
Acquire more about the Terraform Vault Provider.
Source: https://learn.hashicorp.com/tutorials/terraform/secrets-vault
0 Response to "Terraform Upload Failed: Lease Login as the User Ubuntu Rather Than the User Root."
Post a Comment