S3 accounts for repos
Brian LaMere
brian at cukerinteractive.com
Fri Sep 10 17:57:39 UTC 2010
I completely forgot to bring this up at the meeting yesterday. Are there
any thoughts on this? Do the powers-that-be understand the argument for
having multiple accounts?
Brian
On Tue, Aug 31, 2010 at 7:56 PM, Brian LaMere <brian at cukerinteractive.com>wrote:
> Regardless how MirrorManager is made to work, the content itself will need
> to come from S3; I think that's in agreement, right?
>
> When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it
> is best to have an S3 account per region for large sites; I agreed, and have
> already experienced why this is the case. I can go over the reasons more
> extensively if the group would like, but they can be summed with a single
> word: "security." I'll give two short examples, both based on what could
> happen between Matt and I working on getting MirrorManager in AWS.
>
> While working on the code to get MirrorManager to have an S3 back-end, say
> I accidentally send the keypair in an email, or worse - in an email to a
> list. Immediately failing over to the second keypair (accounts can only
> have two keypairs, and only one should be used at a time except for when
> you're changing the keys; the second allows for seamless switches to a new
> keypair, as you leave both active until the process is complete, then
> deactivate the old one). Having the keys be per-region minimizes the impact
> of this problem; there was a temporary exposure, but it wasn't a /global/
> exposure, which means we can safely treat the contents of all the other
> regions as clean/untainted still, and either sync from one region to another
> to make sure nothing happened during the exposure, or at the very worst only
> have one repo to rebuild.
>
> As another example, to help Matt with getting S3 as a backend for
> MirrorManager, I would have my productivity greatly increased by having
> access to the keypair. Is the only thing on the official fedora account the
> S3-backed repositories? I wouldn't think so. However, that keypair allows
> access to *everything* at AWS. There is nothing sacred from that keypair; I
> can use it to put a pubkey in the authorized_keys file of root on all the
> ec2 instances then do things on the servers as root on the servers - as an
> example. That keypair is godmode for *all* of the AWS services. Making
> distinct per-region accounts that are used just to do S3 buckets protects
> you from this. Matt could give me a normal login account on an ec2 server
> so I could help test things, and I could use a keypair to work on S3 as a
> backend, without worrying that doing so meant I needed access to the
> god-mode keys.
>
> A key per role, per need, more or less. Ben started our convo by trying to
> sell me on multi-account setups, but didn't need to; I already work on a
> team that needs to insulate itself from mistakes, and from workers who may
> not be here next week (and who should therefore not have godmode keys).
> There are a number of other reasons for it, if I need to go on ;)
>
> Does that all make sense?
>
> Brian LaMere
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/cloud/attachments/20100910/cb711f04/attachment.html>
More information about the cloud
mailing list