Issue #11031 has been updated by Adrien Thebo. Status changed from Unreviewed to Accepted Assignee set to Adrien Thebo Target version set to 1.6.x
---------------------------------------- Bug #11031: capturing ec2 userdata as a fact may be a security risk https://projects.puppetlabs.com/issues/11031 Author: Dan Bode Status: Accepted Priority: Normal Assignee: Adrien Thebo Category: Target version: 1.6.x Keywords: Branch: Affected Facter version: When cloud-init is used for bootstrapping nodes, a script contained in the userdata is often passed to the node to perform bootstrapping. In the case of cloud formation, this script often contains IAM credentials (access code/secret code) that are used to call cfn-init. In my integration of PE with cloudformation, I can see the AWS credentials in the inventory service when running b/c they are captured as a part of the ec2 metadata. This is not that big of a deal for my use case b/c the credentials only refer to a temporary account that only has the permissions to read metadata from cloudformation instances. In general, I have concerns over rather capturing userdata with facter may potentially (and unexpectedly) expose a user's credentials in some cases. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
