SaltStack - Encrypt Provider ID and Secret - salt-stack

Is it possible to encrypt the AWS ID and Secret Key inside the salt cloud providers? Same issue Azure provider, the appid, secret, tenant etc are all exposed.
ec2-private:
minion:
master: 10.10.10.10
id: 'xxxxxxxxxxxx'
key: 'xxxxxxxxxxxxxxxxxxx' # Is it possible to encrypt this
private_key: /etc/salt/test.pem
keyname: test
ssh_interface: private_ips
securitygroup: sg_test_001
driver: ec2
I was wondering if its possible to encrypt the ID and Secrets? Or is it possible to prompt for ID and KEY?

Related

Google Cloud Composer get default service account private key

I'm using pymongo (from airflow hook) to connect to a mongo instance which implements FLE (Field Level Encryption) using google kms for the keys. We have a VM which has a service account file and this is how we configured it
hook = MongoHook(self.source_conn_id)
creds = json.load(open(self.gcs_service_account_keypath))
kms_providers = {
"gcp": {
"email": creds['client_email'],
"privateKey": creds['private_key'].replace(
'-----BEGIN PRIVATE KEY-----\n', '').replace(
'\n-----END PRIVATE KEY-----\n', '')
}
}
auto_encryption_opts = AutoEncryptionOpts(
kms_providers, key_vault_namespace=self.mongo_key_vault_namespace, bypass_auto_encryption=True)
hook.extras = {'auto_encryption_opts': auto_encryption_opts }
Now I'm trying to do the same in Cloud Composer but I can't find how to access the private key from the default service account in cloud composer. I could export the service account key, add it to secret manager and access it like that but it doesn't seem very good idea.
Any ideas how I can access it?
There are three types of service account private keys. Google managed, user managed and user supplied (imported).
You cannot directly access the private key from a compute service as the metadata server does not provide access to private keys - only tokens created from private keys.
The standard recommendation is to use the IAM APIs to sign blobs/JWTs.
Your other option is to use user managed where you download the service account JSON key file and provide that file to your application or load as a secret from Secret Manager or a similar service.
You can generate a service account key following these steps. Instead of using secret manager, you can put the private key in the GCS bucket associated to your environment and put it in your data folder: gs://bucket-name/data to make it accessible. For more information of utilization of Cloud storage bucket associated to your Cloud composer environment, you can refer to this documentation.

Do I need to Treat the Firebase Service Account Name as a Secret?

When I create a Firebase service account for the admin SDK, I retrieve credentials that include the service account name and private key to authenticate.
I'm managing the private key as a "secret" environment variable in my build tool, i.e. it won't be exposed to other users of the build tool.
Is it advised to also maintain the service account name as a secret or is it safe to expose it to other developers? I'm kind of comparing it to accessing an email account, where the email address is publicly known (compare: account name), but the password to the account stays secret (compare: private key), but I may be wrong here.
No, there is no need to worry about that name of the service account that you use. It's just the key that is used to help you identify the credentials, and has no meaning in securing those credentials.
If someone would be able to retrieve your full credentials based on the service account name, I'd say the problem is much bigger than just those credentials.

AWS Amplify cannot enter user keys

I am going through the tutorial for AWS Amplify and I get to the point where I am to enter the keys for the newly created user
I get prompted for the access key:
Enter the access key of the newly created user:
? accessKeyId: [hidden]
I paste in the value for this and the secret key. But then it seems to fail with
You did NOT enter valid keys.
New user setup failed.
Error: New user setup failed.
at C:\Users\RKevi\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\amplify-provider-awscloudformation\lib\setup-new-user.js:108:13
at processTicksAndRejections (internal/process/task_queues.js:97:5)
Am I to type in the keys manually?
Thank you.

Permission denied on key when encrypting secrets.yml file with helm and gcp_kms

I have a keyring and key in Google Cloud KMS. I want to use the key to encrypt a secrets.yml file using helm secrets enc
I am the GCP project owner, and I have also given myself the specific encrypt/decrypt IAM role, which I don't think is needed, given I am the owner, but worth a try a thought.
I'm getting the following permission denied error when trying to run helm secrets enc secrets.yml:
Could not generate data key: [failed to encrypt new data key with
master key
"projects/myproject-266813/locations/global/keyRings/myKeyRing/cryptoKeys/myKey":
Failed to call GCP KMS encryption service: googleapi: Error 403:
Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on
resource
'projects/myproject-266813/locations/global/keyRings/myKeyRing/cryptoKeys/myKey'
(or it may not exist)., forbidden]
My .sops.yml file:
creation_rules:
- gcp_kms: projects/mirkwood-266813/locations/global/keyRings/lotr/cryptoKeys/cdlkey
I am authenticated with the correct gcp account, so what am I missing?
The answer to this turned out to be really simple:
gcloud auth application-default login
or
use a service account
gcloud auth login
on it's own did not work

Logging in to a database using encrypted keys

How to log into a db using encrypted keys ? If I use the encrypted string for the password to a particular database , can I login to the database ?If no then how to program the automatic decryption ?

Resources