zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/cloud-operations/onprem-sa-key-management
History
Aleksandr Averbukh 0e5fdda107 TF fmt 2021-12-06 17:23:53 +01:00
..
public-keys SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00
README.md SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00
backend.tf.sample SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00
cloud-shell-readme.txt SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00
main.tf SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00
outputs.tf TF fmt 2021-12-06 17:23:53 +01:00
variables.tf SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00
versions.tf SA key uploading and credentials json generation with terraform. 2021-12-06 17:02:56 +01:00

README.md

Generationg and uploading public keys for a service accounts

This example shows how to manage IAM Service Account Keys by generating a key pair and uploading public keys to GCP.

By generating a key inside a box where the key is intended to be used we AVOID:

  • passing keys between users or systems
  • having SA key stored in the terraform state (only public part in the state)
  • having SA key with no expiration period

TODO (averbukh)

Running the example

cleaning up example keys

  • rm -f /public-keys/data-uploader/
  • rm -f /public-keys/prisma-security/

generate your keys

  • mkdir keys && cd keys

  • openssl req -x509 -nodes -newkey rsa:2048 -days 3650
    -keyout data_uploader_private_key.pem
    -out ../public-keys/data-uploader/public_key.pem
    -subj "/CN=unused"

  • openssl req -x509 -nodes -newkey rsa:2048 -days 3650
    -keyout prisma_security_private_key.pem
    -out ../public-keys/prisma-security/public_key.pem
    -subj "/CN=unused"

  • cd ..

  • terraform init

  • terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT

  • terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json

  • terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json

  • contents=(jq --arg key "(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json

  • contents=(jq --arg key "(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json

  • gcloud auth activate-service-account --key-file prisma-security.json

  • gcloud auth activate-service-account --key-file data-uploader.json

Variables

name description type required default
project_id Project id. string
project_create Create project instead ofusing an existing one. bool false

Outputs

name description sensitive
data-uploader-credentials Data Uploader SA json key templates.
prisma-security-credentials Prisma Security SA json key templates.