I'm setting up service accounts and users/groups under them. If I want to generate a different key for each group/user I attach to the service account, I also want to keep track of this in the situations that someone I assigned a key to gets hacked or decides to break stuff. I want to tie the actions back to the service user, and the key, and then the user.
Is there a way to list key usage? Like a log? Or may label the keys?
You can use Cloud Audit Logging to generate logs for the operations that you want to monitor/control. Also, you can configure who has access to these audit logs. These settings are in the auditConfig file.
For the keys, If you want further control and management, you can use the Cloud Key Management Service and also configure Cloud Audit Logging for this service. Key labeling can help to order and track this information.
Related
I have a secret which contains very sensitive information.
I want to make sure that this secret can only be accessed by a certain service account and nobody else.
Using RBAC, I can tell which user can access which resources. But is there some way where I can tell that this secret can only be accessed by this user?
as far as i know , There is no straight forward way to get that info (might require write a script to that iterates through rolebindings & clusterrolebindings).
Recently found a plugin called kubectl who-can on kubectl-who-can that fetches those kind details with one command.
It is possible to get it done with Validating webhook where the API request fields are parsed and checked for matching users.
OPA can be used to do some heavy lifting.
I'm studying Kubernetes now, and have a question about Kubernetes Users. I learned how to create Users and how to limit access by Role, but when should I use it? For example, if a malicious user (not a k8s user, but an operating user) penetrates the k8s server, they can switch the administrator easily (if they can see .kube/config). In addition to that, if a user switches his or her user account and forgets to switch back, then another person who enters next can also use the first user's account. I doubt if I misunderstand the usage of k8s Users, but there seems to be no documents about why k8s prepared it. I assume that Users are only used for doing something from within pods, but if so, what's the difference between Users and Service Accounts?
Kubernetes has a very loose idea of a user. It knows that authentication is a thing, and that the output of that is a name and maybe some groups and tags. But really all it does it hand that info off to the authorization plugins to decide if a given request is allowed or not. ServiceAccounts are a specific object type because they generate you a JWT signed by the cluster, but there isn't a specific User type, that only exists within the context of your authentication plugin(s).
In my current project I'm working with StreamSets and I would like to use Hashicorp Vault as my credentials store, however I'm not able to use credential:get() function wherever I want to. E.g. in Shared Access Key in Azure IoT Hub Producer block. I know that I could use Runtime Properties but I don't think it solves my problem.
Am I missing something or I can use credential:get() only in fields marked with a key icon?
You can only use credential:get() in fields marked with a key icon. This is by design, to minimize the chance of leaking credentials. For example, if credential:get() was allowed in URL parameters, a pipeline designer could send a request to a web server under their control to discover the credential. It may make sense to allow Shared Access Key to receive credentials. Please file an issue at https://issues.streamsets.com with your enhancement request.
I am looking for the system that allows to create and store symmetric master keys in a safe manner. One of such systems is Amazon KMS, where I can create master private key per user and use it to encrypt some data (e.g. user's private keys).
But I need to support several platforms and so I have a question about Vault project (https://www.vaultproject.io). Is it appropriate tool for this task ?
I have found that Vault supports authorization functionality ( https://www.vaultproject.io/docs/auth/userpass.html) and I am wondering is it okay to use this API intensively and store 50k users or so ?
Said that, it looks like these services solve different problems, and Vault is not supposed to be used like Amazon KMS service. But I need to discuss this idea with someone in order to be completely sure.
Many thanks!
You may look into Cubbyhole backend for Vault. This backend works like a unique space for each token. Destroying the access token deletes all the data stored in its cubbyhole space.
From Cubbyhole authentication principles:
The cubbyhole backend is a simple filesystem abstraction similar to the generic backend (which is mounted by default at secret/) with one important twist: the entire filesystem is scoped to a single token and is completely inaccessible to any other token.
In other words, it does not matter, what policies attached to the token, but matter what the token is themselves. And only a single token can be used to set or retrieve values in its cubbyhole.
I'm using cloudformation to create one admins group for my aws account, and I need to add a custom tag to all of them in order to save their e-mail for notification purpouse. There's no info in aws docs about it.
Is possible tag an IAM resource? I know that is possible to do it for a EC2 instance.
No, currently no IAM objects can be tagged, in cloudfront or using administration console.
I suppose that since Tags are mostly used for billing and resource grouping, and IAM objects are free of charge and represent authority, roles and permissions and not a resource or a general purpose database.
I think the best alternative for your scenario would be something like DynamoDB to store this configuration.