Layer7 API Management

  • 1.  Providing Gateway Container Variables Securely in AWS

    Broadcom Employee
    Posted Jun 21, 2018 01:40 PM

    This discussions comes from the idea posted here: PROTECT GATEWAY DOCKER VARIABLES 

     

    Essentially, how do you provide secrets to the gateway in a secure way when it is hosted as a container in AWS? How can the AWS Secret Manager be used.

    Passwords ideally should not be stored in external files (such as docker-compose files), container files (such as docker-secrets, that get permanently mounted at "/run/secrets" during the entire container lifecycle), or container environment variables (visible to container shell and "docker-inspect-like" commands).



  • 2.  Re: Providing Gateway Container Variables Securely in AWS

    Broadcom Employee
    Posted Jun 21, 2018 01:42 PM

    I think you should be able to achieve something similar to what is described in this blog post?

    How to Manage Secrets for Amazon EC2 Container Service–Based Applications by Using Amazon S3 and Docker | AWS Security B… 

     

    In step 5 in order to avoid setting environment variables the secrets-entrypoint.sh script could look like:

    #!/bin/sh

    # Check that the environment variable has been set correctly
    if [ -z "$SECRETS_BUCKET_NAME" ]; then
    echo >&2 'error: missing SECRETS_BUCKET_NAME environment variable'
    exit 1
    fi

    # Load the S3 secrets file contents into the environment variables
    eval $(aws s3 cp s3://${SECRETS_BUCKET_NAME}/db_credentials.txt -)

    # Call the Gateway entry-point script
    . entrypoint.sh "$@"

    Then your Dockerfile would look like:

    FROM caapim/gateway:9.3.00

    USER root

    # Install the AWS CLI
    RUN yum install -y python curl unzip && cd /tmp && \
    curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" \
    -o "awscli-bundle.zip" && \
    unzip awscli-bundle.zip && \
    ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && \
    rm awscli-bundle.zip && rm -rf awscli-bundle

    USER ${ENTRYPOINT_UID}

    # Install the new entry-point script
    COPY ./secrets-entrypoint.sh /opt/docker/

    # Overwrite the entry-point script
    CMD [ "/opt/docker/secrets-entrypoint.sh" ]

    Note that this does not use the AWS Secrets Manager. However, updating the secrets-entrypoint.sh script should allow you to connect to the aws secrets manager instead of S3



  • 3.  Re: Providing Gateway Container Variables Securely in AWS

    Posted Jul 09, 2018 02:11 PM

    Hi  Victor,

     

       We were able to reproduce the scenario you suggested successfully.

     

       Additionally, we tried a new approach using AWS Parameter Store instead of S3. In this case, we replaced the "eval" line in secrets-entrypoint.sh to:

    eval $( aws --region $AWS_REGION ssm get-parameters-by-path --path $PARAM_ROOT |jq -r '.Parameters|map("export "+(.Name|split("/")|.[-1])+"="+.Value)|.[]')

    and instead of "SECRETS_BUCKET_NAME" we passed a "PARAM_ROOT" variable containing the path prefix used in Parameter Store variables to group the desired secret variables.

     

       Parameter Store variables should be in the form "/PARAM_ROOT/VARIABLE_NAME", such as "/prod/SSG_ADMIN_PASSWORD". The above command will retrieve and parse a JSON containing all variables containing "/PARAM_ROOT/" path.

     

    In the Dockerfile, together with the AWS CLI we added the code to install the additional "jq" and "oniguruma" (for jq regex support) dependencies.