Authententicating ECS containers with Vault
• Mark Eschbach
Got a few Yaks shaved yesterday by the names of clustering, high availability, and security. Now it’s time to make more progress towards my objective: authenticate ECS containers. There are two different camps here: those who say it’s not possible and those who have done it.
Actually that is a really janky method of doing that. I think I would rather have a union of all secrets allowed within a cluster. Their idea is to use a lambda function with an S3 bucket, I can see some holes in that thinking. Okay, perhaps I’m getting ahead of myself.
I should start with ensuring hosts themselves can be authenticated. Back to Vault’s aws-auth. Enabling the backend appears to have worked…now time to verify the new backend works as expected.
Network connectivity on my commute in today is questionable at best. So I’m going to piviot away and come back to heavy network stuff. In the meantime I’ve got that merge lab I would like to figure out. The project was left off with the realization the test cases require a closer fixture than what I had originally tested. A key part of the current area I’m trying to improve is a merge post commit. Specifically the system is creating 2 commits where 1 should really do. As part of this there are pushses and pull to remote repositories. I was introducing a lot of
if cases into the code to avoid this. I should have listened earlier.
Luckily it’s fairly easy to pull the
if statements. Once a Git repository is registered the systemm doesn’t seem to mind if it’s on the local file system, over an HTTP protocol, or through SSH. I’ve got to admit I’m fairly impressed with how well it’s that is engineered. I’ll need to change the fixture a bit to use the tarball as a bare remote repository and checkout a specific branch. This will allow the release system to closer simulate the environment of Travis CI.
Alrighty, now for our normal program.
Let’s see if we can get a known host to authenticate! First up is the network rules. Target hosts should be able to access the target hosts for authentication.
Next up is figuring out what the credentials will look like. Unforunately I’ve seen a couple of different approaches however none have been truely helpful for an application service. For a while I ran down a rabbit hole trying to figure out how to authenticate a container.