Secure way to autosign CSRs by PuppetMaster in AWS environment with multiple accounts

asked 2016-10-25 23:27:18 -0600

PJ gravatar image

Hi guys !

I am trying to find a very secure way to autosign CSRs . I think of couple of ways to do it but the way that I guess will work for us is :

  • embed a Pre-Shared password in our AWS AMIs and Puppet Master and based on that we create a TOTP on agent and put it in CSR and when agent send CSR the Puppet Master which has the same Pre-Shared password can confirm TOTP and sign the certificate.

since our instances are in multiple accounts there is no way we can check things like instance_id to sign the certs. if you have any idea please share with me.

I also found this solution but I don't know how I can implement it in AWS environment

    inject totp password into the vm image:

run("setup one time password") {                                              
     totp =[:otp_secret], :interval => 120)                
     onetime =                                                         
     open("#{spec[:temp_dir]}/etc/puppet/csr_attributes.yaml", 'w') { |f|        
       f.puts """extension_requests:                                             
   pp_preshared_key: #{onetime}                                                  

place the following in puppet.conf:

autosign        = /usr/bin/autosign.rb

and place the following code in /usr/bin/autosign.rb:

 onetime = nil                                                                   
 cert.attributes.each do |a|                                                     
   onetime = a.value.value[0].value[0].value[1].value                            

 totp ='SECRET_KEY', :interval=>120)
 verify = totp.verify_with_drift(onetime, 120)
edit retag flag offensive close merge delete