Issue #11031 has been updated by Daniel Pittman.
Ken Barber wrote: > Dan Bode wrote: > > Having some way to configure that certain facts should not be sent to the > > master would be an acceptable solution for my use case. > > A configuration option which allows you to specify exclusions is an old > discussion. Something that supports masks/wildcards and such? We have no evidence to date that wildcards are needed, just a plain blacklist to exclude certain facts by name on some clients. > This could be an element in the puppet configuration that decides what is > sent to a master. Arguably the problem also appears for mcollective > registration as well I suppose, so a facter global configuration is also an > option: #11449. Seems like a justification for configuration over Facter, yup. ---------------------------------------- Bug #11031: capturing ec2 userdata as a fact may be a security risk https://projects.puppetlabs.com/issues/11031 Author: Dan Bode Status: Investigating Priority: Normal Assignee: Adrien Thebo Category: Target version: 1.6.x Keywords: Branch: Affected Facter version: When cloud-init is used for bootstrapping nodes, a script contained in the userdata is often passed to the node to perform bootstrapping. In the case of cloud formation, this script often contains IAM credentials (access code/secret code) that are used to call cfn-init. In my integration of PE with cloudformation, I can see the AWS credentials in the inventory service when running b/c they are captured as a part of the ec2 metadata. This is not that big of a deal for my use case b/c the credentials only refer to a temporary account that only has the permissions to read metadata from cloudformation instances. In general, I have concerns over rather capturing userdata with facter may potentially (and unexpectedly) expose a user's credentials in some cases. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
