Issue #11031 has been updated by Patrick Hemmer.
Chiming in here as there is another reason for wanting to exclude certain facts. EC2 allows you to provide binary data for userdata (ie; [gzip](https://help.ubuntu.com/community/CloudInit#line-15)). This generates 2 problems: 1. If you ever run `facter`, you will have this binary data dumped to your terminal which can mess it up (or in some rare scenario, cause your terminal to send something back and run a bad command). 2. This binary data gets sent to puppetdb which triggers bug #15903 ---------------------------------------- Bug #11031: capturing ec2 userdata as a fact may be a security risk https://projects.puppetlabs.com/issues/11031#change-71179 Author: Dan Bode Status: Investigating Priority: Normal Assignee: Category: Target version: Keywords: Branch: Affected Facter version: When cloud-init is used for bootstrapping nodes, a script contained in the userdata is often passed to the node to perform bootstrapping. In the case of cloud formation, this script often contains IAM credentials (access code/secret code) that are used to call cfn-init. In my integration of PE with cloudformation, I can see the AWS credentials in the inventory service when running b/c they are captured as a part of the ec2 metadata. This is not that big of a deal for my use case b/c the credentials only refer to a temporary account that only has the permissions to read metadata from cloudformation instances. In general, I have concerns over rather capturing userdata with facter may potentially (and unexpectedly) expose a user's credentials in some cases. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
