Issue #11031 has been updated by Daniel Pittman.
Adrien Thebo wrote: > Dan and I discussed the particulars of this a while back, and talked of > possibly redacting access passwords or values like that, but it hadn't been > exactly nailed down. I need to get some testing done before I can provide you > with more particulars. This is absolutely a security risk, **BUT**. The but is: the user supplies this data. We cannot ever know the form of that, or that it contains security sensitive data. The only useful responses we could make are (a) not to have it as a fact at all, disappointing many, or (b) allow the user to make it "not a fact" when they have sensitive data. There is absolutely no point solving this for CloudFormation *only*. (Notably, though, we do treat facts as "public" grade information in much of the rest of the system, making this a potentially broad security exposure.) ---------------------------------------- Bug #11031: capturing ec2 userdata as a fact may be a security risk https://projects.puppetlabs.com/issues/11031 Author: Dan Bode Status: Investigating Priority: Normal Assignee: Adrien Thebo Category: Target version: 1.6.x Keywords: Branch: Affected Facter version: When cloud-init is used for bootstrapping nodes, a script contained in the userdata is often passed to the node to perform bootstrapping. In the case of cloud formation, this script often contains IAM credentials (access code/secret code) that are used to call cfn-init. In my integration of PE with cloudformation, I can see the AWS credentials in the inventory service when running b/c they are captured as a part of the ec2 metadata. This is not that big of a deal for my use case b/c the credentials only refer to a temporary account that only has the permissions to read metadata from cloudformation instances. In general, I have concerns over rather capturing userdata with facter may potentially (and unexpectedly) expose a user's credentials in some cases. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
