Comments (3)
Hi Fernando,
Our practice at Segment is to grant access to Parameter Store keys on a need-to-know basis. Since our infrastructure runs almost entirely on AWS, we accomplish this through IAM policies and roles.
For example, if your service runs alone on an EC2 instance, you can associate that EC2 instance with a service role that has an IAM policy permitting access to the Parameter Store keys the service needs access to.
If, on the other hand, your service runs as an ECS task (i.e. container), you can assign an IAM role to the task comprising your service. Then, as with the EC2 example, that role would have an IAM policy attached permitting access to the Parameter Store keys used by your service.
Finally, at Segment, each environment (development, stage, production, etc.) is associated with a separate AWS Account. By default, no environment has access to the resources of any other environment, so there's no chance of cross-environment pollution unless we explicitly permit it (which is very rare).
References:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
from chamber.
I see how you secure it.
I was thinking of the separation of services.
while coding this into terraform, i ended up with something like this to limited based on attached policies
statement {
sid = "SSMGetParameters"
actions = [
"ssm:GetParameters",
]
resources = [
"arn:aws:ssm:${var.region}:${var.AccountID}:parameter/prod.app1.*",
"arn:aws:ssm:${var.region}:${var.AccountID}:parameter/general.license-code",
]
}
from chamber.
a bigger sample here
https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/
from chamber.
Related Issues (20)
- Test Issue
- Support camel-cased / snake-cased keys HOT 1
- `list` and `exec` on non-existent or inaccessible services fails silently on S3 KMS backend
- Chamber exec bash function HOT 1
- Add option to write the `value` from prompt if `value` is not provided
- Allow reading from and writing to plain text using secretsmanager backend HOT 4
- Add ability to deploy configs from the configuration file HOT 4
- CVE-2022-27664 - net/http in Go before 1.18.6 and 1.19.x before 1.19.1 HOT 2
- `write` allows for invalid shell variable creation HOT 2
- Security Scans flagging go-complier v1.13.15 HOT 3
- Bug Importing UPPER_CASE_KEYs HOT 3
- consider adding semantic version info in "version" subcommand HOT 4
- Issues with chamber and aws sso
- CVE-2023-24538 - Go Lang 1.19.6 Critical Vulnerability HOT 1
- Please add renovatebot or dependabot to keep dependencies updated HOT 1
- Please consider dropping support for older golang versions like go1.15 and go1.16
- Please consider using GetParameter(s) instead of GetParametersByPath HOT 2
- Logger writes to stdout, messing up output HOT 2
- Chamber is not working with recommended AWS SSO config that uses sso-session HOT 15
- CVE-2023-29404 - Go Lang Critical Vulnerability HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chamber.