Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: registration token is stored in plan text in user-data #776

Closed
ekini opened this issue Mar 30, 2023 · 2 comments · Fixed by #822
Closed

Security: registration token is stored in plan text in user-data #776

ekini opened this issue Mar 30, 2023 · 2 comments · Fixed by #822
Labels
enhancement 🆕 New feature or request

Comments

@ekini
Copy link

ekini commented Mar 30, 2023

Describe the solution you'd like

The runner token is stored in the SSM Parameter store but the registration token is just there in plain text.
It would make sense to get it dynamically from another parameter. That parameter can possibly be managed externally.

Describe alternatives you've considered

Suggest a solution

  1. (option 1). Create an SSM parameter with provided registration token. Get the token dynamically from it.
  2. (option 2). Point user-data to the ssm parameter to get the token from it. This way the SSM parameter can be managed externally and the token doesn't end up in the terraform state.

Additional context

Not sure if it's worth creating another issue. The provided IAM policy allows reading all SSM parameters. It doesn't seem like it's required and access should be scoped down to one resource (or 2 if the registration token is placed in there as well).
@ekini ekini added enhancement 🆕 New feature or request new ⭐ Brand new and maintainers haven't seen it yet labels Mar 30, 2023
@kayman-mk kayman-mk removed the new ⭐ Brand new and maintainers haven't seen it yet label Apr 29, 2023
@kayman-mk
Copy link
Collaborator

See #822 which implements option 2.

@kayman-mk kayman-mk mentioned this issue Apr 29, 2023
Merged
kayman-mk added a commit that referenced this issue May 3, 2023
@Conoreby @kayman-mk
feat: add option to read Gitlab Runner Registration token from SSM (#822
51d63e6 
)

## Description

Adds the ability to read the Gitlab registration token from SSM. If no
registration token is passed in, it will look in SSM to find the token
to use. This prevents the token from being leaked as part of the
user_data.

```hcl
module "gitlab_runner" {
  # ...
  gitlab_runner_registration_config = {
    registration_token = "" # this is the default value too
    # ...
  }

  secure_parameter_store_gitlab_runner_registration_token_name = "name-of-ssm-parameter-holding-the-registration-token"
```

Closes #776
Precondition for #186 to get rid of pre-registered runners.

## Migrations required

NO

## Verification

I modified the runner-default example to not pass in a registration
token and added the token to SSM instead. Then I started up the runner
and confirmed that it successfully registered with Gitlab.

---------

Co-authored-by: Matthias Kay <github-public@matthiaskay.de>
Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
@ekini
Copy link
Author

ekini commented May 4, 2023

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement 🆕 New feature or request
Projects
None yet
Milestone
No milestone
2 participants
@ekini @kayman-mk