Re: AWS build workflow (was Re: my progress)

To: debian-cloud@lists.debian.org
Subject: Re: AWS build workflow (was Re: my progress)
From: Marcin Kulisz <debian@kulisz.net>
Date: Tue, 8 Nov 2016 18:10:21 +0000
Message-id: <[🔎] 20161108181021.3ojxacv33g43goez@bashton004>
Mail-followup-to: debian-cloud@lists.debian.org
In-reply-to: <[🔎] 20161107145748.xjxdanirlzjoza2c@ctrl.internal.morgul.net>
References: <[🔎] tsl7f8ipwk4.fsf@suchdamage.org> <[🔎] 20161106193833.3n5kjqxk42e4d6jw@ctrl.internal.morgul.net> <[🔎] 20161107082310.66xqf6ot7tkvrdbn@bashton004> <[🔎] 20161107145748.xjxdanirlzjoza2c@ctrl.internal.morgul.net>

On 2016-11-07 06:57:48, Noah Meyerhans wrote:
> On Mon, Nov 07, 2016 at 08:23:10AM +0000, Marcin Kulisz wrote:
> > That's true but there is a bit which makes me quite uncomfortable to be
> > precise it's that to do all this stuff from within Debian infra we need to keep
> > AWS IAM keys on it with permissions for spinning up and down instances etc.
> 
> Yes. The keys would need to be associated with a role granted access to
> the following API calls:
> 
> * Run instance
> * Describe instance
> * Create volume
> * Attachh volume
> * Create snapshot
> * Describe snapshot
> * Register AMI
> * Terminate instance
> 
> I'm not sure what facilities are provided on debian.org machines for
> managing access to sensitive material such as IAM credentials in an
> automated way.
>
> > From my conversation with JEB kind of vision emerged that we could have
> > combination of api gateway and lambda listening on the api point and those
> > would spin up instance with Pettersson ssh key (public part ofc) and specific
> > IAM role on it to allow to do DD and all AWS related dance. Once whole process
> > is done it'll just destroy AWS instance and wait for the next build.
> > Clean and neat use of "the cloud" I'd say.
> 
> My recollection from the sprint is that we agreed that we'd like to
> build the images on official Debian infrastructure to the extent
> possible, which is why I proposed that workflow. However, I agree that
> there are alternatives that make use of some of the other AWS services
> such as Lambda, KMS, etc.

I don't think that what I'm proposing contradicts what you posted above. In my
opinion we will just create intermediary service to avoid storing credentials
with permissions you listed above on our infrastructure.
If in the future we'll have to withdraw for whatever reason from this setup it
can be simply used without it (whole api/lambda stuff) just with the IAM keys/role.

I simply prefer not to have any server with capability to wipe out our
instances. IMO this is just a safer option then having IAM keys on the
pettersson.d.o.

IMO exposing just https point for triggering AWS instance creation, doing it's
magic and then transferring image built with fai over ssh is safer then
allowing pettersson.d.o to spin and destroy instances, attaching volumes, etc..
-- 

|_|0|_|                                                  |
|_|_|0|                  "Panta rei"                     |
|0|0|0|             -------- kuLa --------               |

gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3
3DF1  A4DF  C732  4688  38BC  F121  6869  30DD  58C3  38B3

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- my progress
  - From: Sam Hartman <hartmans@debian.org>
- Re: my progress
  - From: Noah Meyerhans <noahm@debian.org>
- AWS build workflow (was Re: my progress)
  - From: Marcin Kulisz <debian@kulisz.net>
- Re: AWS build workflow (was Re: my progress)
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Packaging of botocore
Next by Date: Re: Packaging of new versions of boto and boto3
Previous by thread: Re: AWS build workflow (was Re: my progress)
Next by thread: Re: my progress
Index(es):
- Date
- Thread