However, there was one problem: We have to maintain a lot of AWS keys! Our fine-grain access control implementation means we use lots of AWS keys. 24 spread out over the dev, tst, acc and prd environments. Making changes to Terraform to create new keys was the easy part. Third Base - Shared and secured access AWS keys Extracting all of these from the Terraform output, decrypting and then distributing them to Gitlab (from where Terraform deploys our infrastructure) and 1Password (where we store all our secrets for safekeeping) was super tedious. Once we had the AWS key distribution to CI/CD pipelines automated we stopped having broken builds due to incorrect or otherwise missing AWS keys. However, sometimes CI/CD is not available and we need to run our automation pipelines manually (i.e. Except, CI/CD variables have the latest and correct AWS keys while our laptops did not! Given the way we setup our CI/CD that shouldn’t be a problem since we can easily execute the same script that the jobs execute. Now, what if our laptops (automatically) had access to the exact same AWS keys as the CI/CD pipelines do! In other words, what if we could distribute the same AWS keys to both the CI/CD pipeline and the developers? That way we would be absolutely sure they do not diverge.Įnter Keybase. Keybase is a nice up and coming project, “A Slack but for the whole world.” as they say on their site. Everything is end-to-end encrypted based on asymmetric key cryptography. We learned about Keybase while using Terraform because Terraform can use Keybase to encrypt AWS keys held in its state using a Keybase user handle. team: holds sub-directories per team the user is member of with private files that are available to the members of each team.private: holds files that the user wants to keep private.public: holds files that the user wants to make publicly available.Furthermore, Keybase provides a user-space mount point (usually at /keybase) that simulates a filesystem tree containing 3 main directories: This protects the key that is stored in a shared state file to ensure only its owner can actually use it (by using Keybase to decrypt it). What is so special about this filesystem tree is that the files and directories are not actually on the filesystems, instead each time we access them the Keybase client makes a call to the Keybase APIs to retrieve them. For us the implementation that made most sense is the one that leverages Keybase teams to store shared AWS keys.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |