Issue #11031 has been reported by Dan Bode. ---------------------------------------- Bug #11031: capturing ec2 userdata as a fact may be a security risk https://projects.puppetlabs.com/issues/11031
Author: Dan Bode Status: Unreviewed Priority: Normal Assignee: Category: Target version: Keywords: Branch: Affected Facter version: When cloud-init is used for bootstrapping nodes, a script contained in the userdata is often passed to the node to perform bootstrapping. In the case of cloud formation, this script often contains IAM credentials (access code/secret code) that are used to call cfn-init. In my integration of PE with cloudformation, I can see the AWS credentials in the inventory service when running b/c they are captured as a part of the ec2 metadata. This is not that big of a deal for my use case b/c the credentials only refer to a temporary account that only has the permissions to read metadata from cloudformation instances. In general, I have concerns over rather capturing userdata with facter may potentially (and unexpectedly) expose a user's credentials in some cases. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
