Getting stuff done.
• Mark Eschbach
At this point I really want to move forward with these tasks. I’m willing to punt on specific container authorziation for now and return to the problem later. That means all conatiners on the ECS Host system will authenticate to Vault as the host system and assume a specific role. Not particularly great but hey, that is where I’m at. Small steps with simple things
Time to verify I’ve set the flag disallow_reauthentication
to the correct setting since it’s already confused me once. Since hosts keep being cycled: curl https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip -o vault.zip
is the magic command to get version 0.7.0 of Vault. I was able to initially authroize a host, however the nonce immediately becomes an issue for reauthenticating on the host. At this point I’m wondering if I would be better off allowing all clients to access the secret through Docker’s API.
Booting up and playing around with Vault inside an Alpine Linux return an interesting alternative I should look into: instance identity document. Might be a red hairing since there might not exist one for ECS however in the meantime it’s an interesting middleground.
Alpine Linux doesn’t actually contain Bash at /bin/bash
. Makes sense since they use BusyBox which is a vary paired down version of Linux. Need to use their more basic shell. I had to use apk add openssl
to get use wget
retriving across HTTPS for Vault. I could go down a rabbit hole with learning the packages I need to install, however this is a just an expiriment…so onto using the ubuntu
docker image. Not because I don’t have to install things: apt-get update && apt-get upgrade -y && apt-get instally -y curl unzip
; but because I know the package names already.
Not that I expected different however I really wanted to avoid writing additional software to get these two units to integrate. I think at this point I need to get creative. I’m not entirely satisfied I’ve chased down signature verification for ECS conatiners entirely. So it’s totally a hack but I think I’m just going to pin it and fix it later. If one were to setup a system where teh EC2 Host was used as the subject it would require of the union of all credentials of the applications running on that host and be able to authenticate as such. One step better would be to store the created nonce on the file system and have the containers pick it up for when they authenticate.